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Chapter  1 


Introduction 

In  recent  years  a  great  deal  of  effort  has  gone  into 
discovering  convenient  and  powerful  methods  of  reasoning 
about  the  behavior  of  computer  programs.  There  are  two 
main  goals  of  this  research.  First,  we  need  a  precise 
definition  of  exactly  what  a  program  is.  At  present  there 
is  no  general  agreement  on  the  exact  meanings  of  programs, 
and  there  is  even  less  agreement  on  what  sort  of  programs 
we  should  be  assigning  meaning  to.  Second,  we  need  a 
convenient  but  precise  method  of  proving  properties  of 
programs.  Even  when  the  meaning  of  a  program  is  understood, 
the  very  general  set-theoretic  proofs  have  proved 
cumbersome,  with  most  authors  choosing  more  informal 
methods.  The  results  have  been  incorrect  or  unconvincing 
proofs.  For  example,  Dijkstra's  on-the-fly  garbage 
collector  [D78]  in  its  original  version  contained  a 
subtle  bug,  although  Dijkstra  "proved"  the  program  correct. 

Below  is  a  brief  history  of  the  work  leading  up  to 
this  work. 

Floyd  [F167]  and  Hoare  [Ho69]  presented  early  systems 
for  reasoning  about  programs.  Those  methods  are  used 
primarily  for  proving  properties  related  to  termination  of 
the  program.  For  example,  Hoare' s  partial  correctness 
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assertion  P  {A}  Q  states  that  if  program  A  is  started  with 
P  true,  then  whenever  (if  ever)  A  terminates,  Q  holds. 

Floyd  suggests  the  well-founded-set  method  of  proving 
that  a  program  must  terminate,  which  consists  of  showing 
that  going  around  any  loops  in  the  program  must  result 
in  the  decrease  of  some  well  founded  quantity. 

Partial  correctness  is  far  from  the  only  useful 
property  of  programs.  Manna  and  Waldinger  [MW78]  give 
examples  where  using  the  condition  "P  must  eventually 
become  true"  leads  to  natural  proofs  of  interesting 
properties  of  programs.  A  really  useful  logic  of  programs 
should  permit  its  user  many  different  methods  of  reason¬ 
ing  about  programs.  Pratt's  Dynamic  Logic  [Pr76]  and  later 
Harel's  DL+  [HP78]  bring  the  "eventuality”  and  partial 
correctness  methods  together  into  a  single  elegant  frame¬ 
work.  The  heart  of  DL  is  the  formula  [A]Q,  meaning  "if 
program  A  is  started  in  the  current  state,  then  whenever 
(if  ever)  A  terminates,  Q  holds."  The  Hoare  style  partial 
correctness  assertion  P  (A)  Q  is  expressed  in  DL  as 
P  3  [A]Q,  which  simply  states  that,  if  P  holds  in  the 
current  state,  then  (A}Q  also  holds  in  the  current  state. 
The  dual  <A>Q  =  MA]M2  of  lA]Q  states  that  it  is  possible 
for  program  A  to  halt  with  Q  true.  Dynamic  Logic  programs 
are  in  general  nondeterministic.  Hence  it  is  possible  for 
<A>Q  and  <A>M2  to  be  simultaneously  true. 

Among  concurrent  programs,  programs  which  terminate 
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are  the  exception  rather  than  the  rule.  Typical  nonter¬ 
minating  programs  are  operating  systems,  on-the-fly 
garbage  collectors,  the  dining  philosophers  program,  and 
so  on  (see  (FP76J).  It  is  clear  that  termination  proper¬ 
ties  are  inadequate  for  reasoning  about  such  programs. 

Pratt  [Pr78]  suggests  extending  Dynamic  Logic  by  adding 
new  operators  for  discussing  the  behavior  of  a  program 
in  time.  For  instance,  the  operator  {A}Q  expresses  the 
global  invariance  of  Q  over  A,  meaning  that  Q  holds  through¬ 
out  the  execution  of  program  A,  started  in  the  current 
state.  Numerous  other  properties  are  possible. 

Among  possible  operators  for  describing  the  temporal 
behavior  of  programs,  Lamport  (L80]  identifies  two  classes: 
linear  time  and  branching  time  operators.  Most  logics 
to  date  include  either  one  or  the  other,  but  not  both. 

As  both  have  uses,  a  powerful  logic  should  include  both. 

By  process  logic,  we  mean  any  language  which  is 
used  to  express  properties  of  processes,  or  programs,  the 
properties  in  general  not  being  related  to  the  termination 
of  the  process.  We  have  mentioned  the  process  logics  of 
Pratt  and  Lamport.  Others,  which  are  described  in  more 
detail  later,  are  the  process  logics  of  Pnueli  [Pn77, 

Pn79J ,  Gabbay  et  al.,  (GPSS80) ,  Parikh  [Pa78] ,  Karel 
et  al.,  [HKP80] ,  and  Nishimura  [N79] . 

In  this  work  we  take  three  approaches  to  process 
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1.  What  sorts  of  properties  can  be  expressed  in  a 
simple,  termination  oriented  logic,  in  particular  Propo¬ 
sitional  Dynamic  Logic  (PDL) ?  In  Chapter  2  we  demonstrate 
that  PDL  can  express  much  more  than  is  readily  apparent. 

The  power  of  PDL  is  revealed  by  adding  auxiliary  Boolean 
variables  to  PDL.  Such  variables  add  no  expressive  power 
to  PDL,  though  they  allow  more  concise  expression  of  some 
properties.  In  particular,  properties  regarding  the 
concurrent  execution  of  programs  can  be  expressed  concisely 
using  Boolean  variables. 

While  PDL  can  express  a  surprising  number  of  proper¬ 
ties  of  programs,  it  cannot  express  all  that  we  need. 
Therefore  we  develop  more  powerful  logics. 

2.  The  second  approach  is  the  classical  approach 
of  defining  a  version  of  the  predicate  calculus  which  is 
suited  to  describing  processes.  We  call  this  logic  GPL, 
for  General  Process  Logic.  Unlike  PDL,  GPL  does  not  have 
programs  —  a  valid  GPL  sentence  is  one  which  holds  for 
all  processes.  The  absence  of  programs  makes  the  presen¬ 
tation  of  GPL  simpler,  and  allows  us  to  at  least  partially 
analyze  GPL. 

3.  The  third  approach  is  to  adapt  modal  logic  to 
a  logic  of  processes.  The  logic  MPL  (for  Modal  Process 
Logic)  is  slightly  less  expressive  than  GPL,  but  is  much 
easier  to  analyze,  and  to  work  with  in  general.  We  prove 
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that  MPL  is  decidable,  and  give  a  complete  proof  system 
for  MPL. 

Neither  GPL  nor  MPL  has  programs.  In  Chapter  5 
we  consider  the  addition  of  programs  to  MPL.  (Programs 
can  also  be  added  to  GPL,  but  we  do  not  bother  to  define 
GPL  with  programs  here.)  MPL  with  programs  is  called 
MPL/P.  MPL/P  has  at  least  as  much  expressive  power  as 
Nishimura's  process  logic  [N79] ,  which  in  turn  is  at  least 
as  expressive  at  Pratt's  process  logic  [Pr78] ,  and 
Parikh's  SOAPL  [Pa78].  We  conjecture  that  MPL/P  is  more 
expressive  than  all  of  the  above  logics. 

1.1.  Processes 

The  rest  of  this  chapter  is  spent  defining  processes 
and  programs  and  discussing  the  consequences  of  those 
definitions.  Of  primary  importance  is  the  discussion  of 
blocking,  which  may  differ  from  the  reader's  notion. 

A  process  is  a  semantic  entity,  as  opposed  to  a 
program,  which  is  syntactic.  We  choose  a  very  abstract 
notion  of  process.  There  are  no  communication  primitives, 
as  there  are  in  lHo76,  MM77J.  Instead,  individual  pro~ 
cesses  communicate  with  each  other  by  altering  a  common 
state,  which  can  be  thought  of  as  encompassing  all  of  the 
memory  of  the  system,  whether  private  to  a  given  process 
or  shared  by  two  or  more  processes.  Indeed,  there  is  no 
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notion  of  several  processes  inherent  to  the  semantics  of 
processes.  The  definition  of  a  process  is  sufficiently 
general  that  an  entire  system  of  processes  running  concur¬ 
rently  can  be  viewed  as  a  single  super  process. 

Our  notion  of  process  is  related  to  Pratt’s,  in  that 
a  process  is  a  set  of  computation  sequences  over  a  given 
set  of  states  U.  The  main  difference  is  that  rather  than 
being  a  sequence  of  states,  a  computation  sequence,  or 
path,  is  a  sequence  of  transitions  between  states.  The 
transition  from  state  u  to  state  v  is  written  <u-*v>. 
Additionally,  each  path  has  a  start  state,  which  is  of  use 
primarily  when  the  sequence  of  transitions  is  empty. 

Our  definitions  are  simplified  by  postulating  a  spe¬ 
cial  state  A^U,  a  "block"  state.  Unlike  Pratt's  A,  our 
A  can  never  actually  be  entered  by  a  process.  The  role 
of  A  is  explained  in  detail  under  blocking  below. 

Formally,  the  set  of  paths  H*  (U)  over  U  and  the 
set  of  processes  H(U)  over  U,  where  U  is  a  countable  set 
of  states,  are  defined  as 

Y(U)  *  U  x  (UxU  u  <A->A>)**W 

with  the  condition  that  if  (u,  <v-*-w>o)  c  ’i'(U)  then  either 
v»u  or  v*A. 

II(U)  *  Pmu)). 

S  denotes  finite  end  infinite  sequences  over  S,  and 
P  denotes  powerset.  Some  other  useful  definitions  are 


as  follows: 


Let  ip  *  (u,o)  and  ip*  «  (u',0'*}  be  paths. 

l(ip)  *  the  number  of  transitions  in  o  (possibly  u) . 

start  (ip)  =  u. 

ju  if  »-». 

end(ip)  w  if  o=t<v-*-w>, 

^undefined  if  £(4»)=o). 

^  is  a  prefix  of  ip'  if  o  is  a  prefix  of  o',  and  u=u'. 
The  concatenation  of  and  ip'  is  defined  when 

l(ip')>0. 

fip  if  i(i^)  =  to 

(u,  o*o")  if  i(ip)  <  a) 

The  only  restrictions  on  paths  are  that  1)  A  appear 
only  in  the  transition  <A+A>,  and  2)  the  start  state  be 
the  same  as  the  first  state  in  the  first  transition  (or  A)  . 
For  example,  ^  «=  (u,  <u-*-w><y-*-z>)  is  an  acceptable  path, 
even  when  w  f  y.  Path  ip  represents  a  computation  sequence 
which  reaches  state  w,  then  moves  from  state  y  to  state  z, 
an  impossibility.  There  are  reasons  for  accepting  such 
absurd  paths.  One  is  that  some  concurrent  process,  to  be 
added  later,  could  in  fact  make  the  phantom  transition 
from  w  to  y.  Another  reason  is  discussed  below.  We  say 
that  a  path  4*  is  legal  provided 

♦  ■  (u»o<v^xy**>o')^  w«y . 


The  stages  5(U)  are  the  finite  legal  paths  over  U.  If 
it  is  a  process,  the  set  pre(Tr)  is  the  set  of  all  stages 
which  are  prefixes  of  members  of  it. 

Transition  sequences  have  some  advantages  over 
ordinary  computation  sequences  (sequences  of  states) . 

One  is  that  the  concurrent  execution  of  two  processes  can 
be  defined  simply  as  the  shuffle  of  the  transition  sequences 
associated  with  each  process.  The  same  is  not  true  for 
state  sequences,  for  they  don't  retain  enough  information. 
Another  advantage  is  that  blocking,  an  important  notion 
of  concurrent  processes,  is  readily  defined  in  terms  of 
transition  sequences.  A  third  advantage  is  that  transi¬ 
tions  can  be  labeled,  so  that  it  is  possible  to  tell  which 
process  makes  a  given  transition.  Such  labels  are  impera¬ 
tive  if  we  wish  to  know  if  a  given  path  is  fair,  in  the 
sense  that  each  process  makes  infinitely  many  transitions. 
Labels  are  discussed  further  in  Chapter  5. 

As  can  be  seen  from  the  lack  of  restrictions  on 
processes,  processes  are  nondeterministic.  A  process  may 
have  any  number  of  paths  whose  initial  state  is  u. 

Moreover,  a  process  may  contain  any  number  of  paths,  all 
with  prefix  ij«.  Intuitively,  that  means  that,  after  running 
for  a  while  and  reaching  stage  tl>,  there  are  many  possible 
ways  in  which  the  process  might  continue.  Processes  may 
exhibit  infinite  nondeterminism,  which  means  that,  even 
when  the  set  U  is  finite,  and  ignoring  blocked  paths, 
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a  given  process  v  might  not  be  the  set  of  paths  in  any 
finite  branching  tree.  Infinite  nondeterminism  is  required 
to  represent  several  processes  running  concurrently, 
even  when  each  component  process  is  treelike  (see  [LF79]), 
provided  the  concurrency  operation  obeys  the  finite  delay 
property:  No  component  of  a  concurrent  system  which  is 
ready  to  execute  a  transition  infinitely  often  is  forever 
denied  executing  a  transition.  A  simple  program  which 
exhibits  infinite  nondeterminism  is 

(while  x«0  do  noop)//(x:=l) . 

The  first  component  may  run  arbitrarily  much  faster  than 
the  second  process,  but  not  infinitely  much  faster. 

Hence,  assuming  x«0  at  the  start,  the  while  loop  may  be 
executed  any  finite  number  of  times,  but  not  infinitely 
many  times.  We  will  find  that  infinite  nondeterminism 
has  special  significance  in  both  GPL  and  MPL,  though  in 
opposite  ways.  Our  decision  method  for  MPL  makes  use 
of  processes  which  exhibit  infinite  nondeterminism,  while 
that  for  GPL  cannot  deal  with  such  processes. 

Hocking 

Every  path  has  three  possible  fates;  it  may  terminate, 
run  forever  or  block,  A  terminating  path  is  •  finite 
legal  path.  Infinite  legal  paths  run  forever.  And  a 
blocking  path  is  an  illegal  path,  whether  finite  or 


■  _  ,  4^  v  «.  .5.1,  .  -afcrf I 
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infinite.  For  example,  let  u  and  v  be  distinct  states. 

(u,  <A-»A>) 

(u,  <u4v><,u+v>)  , 
and  (u,  <u-*'V><A-»A>) 

are  all  blocked  paths.  The  transition  <u-*v>  cannot  be 
executed  unless  the  process  is  in  state  u.  Note  that  the 
transition  <A-»A>  can  never  be  executed  on  any  path,  for 
no  path  may  begin  in  state  A,  and  no  transition  of  the 
form  <u-*A>,  for  u  ^  A,  is  permitted.  Thus  <A-*A>  is  a 
"block  marker."  It  is  convenient  to  have  such  a  marker 
which  must  always  cause  a  block. 

Our  notion  of  blocking  may  be  different  from  the 
reader's.  In  our  notion,  a  block  in  a  path  merely  means 
that  the  rest  of  the  path  is  nonsense,  suggesting  that 
some  other  path  be  taken.  Consider  the  program 

while  true  do  nothing. 

In  terms  of  PDL  programs,  defined  shortly,  "while  true  do 
nothing"  is  written 

(true?)*;  false?. 

Suppose  U  contains  a  single  state  u.  Then  by  the  defini¬ 
tion  in  the  next  section,  (true?)*;  false?  represents  the 
process  it  ■  {(u,  <u*ni>*<A-*A>)  j  k>0}  u  <(u,  <u*u>w)}. 

V 

Almost  all  of  the  paths  block.  But  every  stage  (u,  <u-*u>  ) 
Is  a  prefix  of  some  path  which  does  not  block  at  that 
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stage.  Imagine  an  interpreter  executing  ti  .  The  inter¬ 
preter  must  make  nondeterministic  choices.  The  choices 
can  be  made  by  choosing  a  path,  say  (u,  <u->u>  <A+A>)  . 

After  executing  <u-*-u>  ,  the  interpreter  encounters  the 
transition  <A-*A>,  which  it  cannot  execute.  Rather  than 
giving  up,  the  interpreter  can  choose  a  new  path  which  has 
<u-+u>  as  a  prefix,  and  so  might  just  as  well  have  been 
the  chosen  path.  In  fact,  the  interpreter  can  always  find 
a  path  in  tt  along  which  it  can  continue. 

The  interpreter  (or  "oracle,"  since  it  makes  "correct" 
nondeterministic  choices)  just  described  is  not  built  into 
processes  in  any  sense.  Rather,  the  statements  which  we 
make  about  processes  can  be  looked  at  as  having  the  form 
•when  tt  is  evaluated  by  a  smart  interpreter  (one  which  tries 
other  paths  when  a  block  is  encountered  on  one  path) ,  then 
n  obeys  property  p."  For  example,  if  we  want  to  state 
that  it  cannot  block,  we  do  not  say  that  it  contains  no 
blocked  paths,  but  instead  say  that  every  legal  prefix  of 
every  path  in  tt  is  a  proper  prefix  of  some  legal  prefix 
of  some  (possibly  different)  member  of  n.  The  formula 
itself  specifies  the  degree  of  wisdom  of  the  oracle. 

Reif  and  Peterson  [RP80]  carry  the  ability  to  specify 
the  behavior  of  an  oracle  even  further.  In  their  logic, 
a  formula  can  call  for  an  oracle  which  is  benevolent  with 
respect  to  choices  made  by  some  components,  and  malicious 
with  respect  to  choices  made  by  others.  Generally,  it  is 
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conceivable  that  some  sort  of  "oracle  specifier"  could  be 
added  to  the  box  operator  of  MPL  (see  Chapter  4),  restrict¬ 
ing  the  range  of  quantification  over  paths.  We  do  not 
consider  oracle  specifiers  in  this  work. 

1.2.  Programs 

We  use  Propositional  Dynamic  Logic  program  syntax 
for  our  programs,  with  the  addition  of  a  concurrency 
operator.  Thus  concurrent  programs  are  statically  created, 
as  in  (LF79,  OG76] .  We  do  not  make  any  provision  for 
running  arbitrarily  many  copies  of  a  program  in  parallel, 
as  in  [S78] .  PDL  programs  are  particularly  easy  to  give 
a  semantics  for.  Also,  in  Chapter  2  we  choose  PDL  as  a 
termination  logic  framework,  making  PDL  programs  the  most 
natural  to  use  for  our  other  logics.  For  the  semantics  of 
programs,  we  use  processes.  Program  a  represents  process 
it  (a).  Basic  programs  are  just  symbols  from  a  set  rQ, 
and  are  given  interpretation  *0  (U) . 

We  place  some  restrictions  on  the  processes  represented 
by  programs. 

1.  it  (a)  must  not  contain  any  paths  of  length  zero. 

Each  transition  represents  one  unit  of  time.  If  a  can 
completely  execute  in  zero  units  of  time,  then  o*  can 
execute  infinitely  many  times  in  zero  units  of  time, 

an  undesirable  situation. 

2.  For  every  state  u,  it  (a)  contains  at  least  one 
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path  starting  at  u.  This  is  really  no  restriction,  since 
tr  (a)  may  contain  only  the  path  (u,  <A-*-A>),  which  blocks 
without  doing  anything  at  all.  This  is  mainly  a  technical 
restriction,  making  definitions  slightly  easier. 

The  syntax  and  semantics  it  :programs-*n  (U)  of  programs 
is  given  below.  Let  a  and  6  be  programs. 

1.  Any  basic  program  is  a  program,  with 

it  (A)  “tt  (A)  . 
o 

2.  a  u  B  is  a  program,  a  u  8  means  "nondeterminis- 
tically  choose  to  run  either  a  or  B."  it  (a  v  B)  =  n  (a) 

v  it  (B)  . 

3.  a;B  is  a  program.  cx«B  means  "run  a,  followed 

by  7r(a;0)  *  w(a)**(£)  (concatenation  of  processes). 

4.  a*  is  a  program,  o*  means  "run  &  any  number 
(possibly  uj)  of  times,  the  choice  being  made  nondetermi- 
nistaca lly.  t(a*)  *=  ir(a) 

5.  a//B  is  a  program.  a//B  means  "run  a  and  B  in 
quasi-parallel. "  ir(a//B)  is  the  smallest  set  which 
satisfies  the  following: 

Suppose  (u,  u^‘0 j  •••  )  c  tr (a)  and 

(V,  ...  )  t  tt  ( B )  # 

where  and  are  nonempty,  and  o ^  and  are  either 
empty  or  finite  or  infinite  for  i>l. 

Then 

i  c  1T(o//0) 

and  (v,T2.'°i'r2'°2  *  *  *  *  c 
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By  our  definition,  o//6  does  not  obey  the  finite 
delay  property.  It  is  possible  to  define  ot//0  with  finite 
delay,  by  insisting  that  each  and  be  finite.  We 
will  sometimes  consider  this  alternate  definition  of  // 
in  the  work  that  follows. 

6.  If  p  is  a  formula  of  a  certain  type,  which  may 
be  different  for  each  logic,  then  p?  is  a  program.  The 
truth  value  of  p  must  depend  only  on  a  state.  When  p 
is  true,  p?  executes  a  null  transition.  When  p  is 
false,  p?  cannot  execute,  and  so  must  block. 
tt(p?)  =  {(u,<u-*u>):  p  holds  in  state  u} 

u  { (u, <A+A>) :  p  does  not  hold  in  state  u) 

1.3.  Truth  in  GPL  and  MPL 

The  logics  GPL  and  MPL  are  defined  in  terms  of  a  Kripke 

style  truth  value  semantics.  A  structure  A  *  (U,tt  ,4>q  ,$q) 

consists  of  a  set  U  of  states,  a  process  iv  in  II(U),  a 

set  4>  of  basic  formulas  or  predicates,  and  an  interpre- 
o 

tation  ♦os4'0^P(U)  which  assigns  to  P  the  set  of  states 
where  P  holds.  The  truth  value  of  a  formula  depends  on 
a  structure,  as  well  as  some  additional  parameters,  which 
differ  slightly  between  GPL  and  MPL,  mainly  because  a 
GPL  formula  may  have  many  free  variables  whose  values 
must  be  specified.  An  environment,  or  model ,  contains  all 
of  the  information  necessary  to  determine  the  truth  value 
of  a  formula.  For  each  logic,  a  relation  E  ►  P,  read 
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"E  satisfies  P,"  between  environments  and  formulas  is 
defined.  We  say  that  a  formula  p  is  satisfiable  if  there 
is  some  environment  E  which  satisfies  P.  We  say  that 
p  is  valid  if  ^p  is  not  satisfiable,  i.e.,  if  p  is 
satisfied  by  every  environment. 


Chapter  2 


Boolean  Variables  in  Propositional  Dynamic  Logic 

A  reasonable  first  approach  to  dealing  with  concurrent 
programs  is  simply  to  add  a  concurrency  operator  to  an 
established  sequential  program  logic,  such  as  Propositional 
Dynamic  Logic.  The  semantics  of  programs  may  have  to  be 
changed  to  be  able  to  define  the  concurrent  execution  of 
two  programs.  Such  a  logic  would  be  suitable  at  least 
for  describing  termination  properties  of  concurrent  pro¬ 
grams.  (As  we  show  below,  it  is  capable  of  much  more.) 

PDL  programs  are  close  to  regular  expressions.  It  is 
well  known  that  the  shuffle  of  two  regular  sets  is  a 
regular  set  [GS65] .  Hence  it  would  seem  reasonable  that, 
at  least  in  some  cases,  the  concurrency  operator  could  be 
expressed  in  terms  of  u,  ;  and  *.  That  is  the  case  when 
basic  programs  must  be  indivisible,  i,e.,  every  path 
in  (A)  must  have  length  one. 

For  the  rest  of  this  chapter  we  adopt  the  convention 
that  basic  programs  are  indivisible.  In  this  view,  basic 
programs  represent  low  level  instructions,  which  are 
executed  in  a  single  step,  as  opposed  to  more  complex 
programs.  The  restriction  to  indivisible  basic  programs 
greatly  simplifies  the  study  of  concurrency,  by  allowing 
us  to  know  just  how  programs  can  be  interleaved.  If  A 
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and  B  are  two  non-indivisible  basic  programs,  it  is 
difficult  to  know  what  A//B  will  do,  given  only  the 
behavior  of  A  and  B  individually.  We  are  not  the  first 
to  restrict  basic  programs  to  indivisible  actions  (see 
e.g.  (OG76,  Pn77,  RP80,  N79] ) . 

Infinite  paths  in  it  (a)  can  have  no  bearing  on  the 
truth  of  [a  ]  P,  which  only  states  that  the  finite  legal 
paths  end  on  a  state  satisfying  p.  So  eliminating  all 
infinite  paths  from  all  processes  can  have  no  effect  on 
the  truth  of  any  PDL  formula.  Consequently,  the  two 
possible  definitions  of  PDIy^ ,  one  with  finite  delay  and 
the  other  without  finite  delay,  must  in  fact  be  identical. 
Until  we  leave  the  realm  of  PDL,  we  can  ignore  the  question 
of  finite  or  infinite  delay. 

Although  concurrency  can  be  eliminated  from  PDL 
programs,  the  elimination  is  costly,  the  best  known  method 
causing  a  double  exponential  length  blowup.  We  certainly 
would  hope  for  a  better  method  of  handling  concurrency 
than  the  brute  force  method  of  considering  all  possible 
ways  of  interleaving  programs.  Such  a  method  does  exist. 
Suppose  we  introduce  into  PDL  auxiliary  variables,  whose 
values  can  be  assigned  and  tested  without  affecting  in 
any  way  the  behavior  of  basic  programs.  Those  variables 
could  be  used  to  efficiently  write  an  "interpreter," 
which  evaluates  a  concurrent  program.  By  storing  one  or 
more  program  counters  in  variables,  the  interpreter  can 


remember  where  one  or  more  programs  are  at  each  instant. 

The  auxiliary  variables  can  also  be  used  to  help  express 

properties  other  than  simple  termination  properties  of 

programs.  For  example,  to  state  that  p  holds  throughout 

the  execution  of  a,  we  simply  write  [I  ]p,  where  I  is 

cx  a 

an  interpreter  for  a  which  may  halt  at  any  time  during 
the  evaluation  of  a. 

Below  we  define  an  extension  B-PDL  of  PDL  which  in¬ 
cludes  Boolean  variables.  We  list  a  number  of  concepts 
which  B-PDL  can  simulate.  We  also  show  that  every  B-PDL 
formula  is  equivalent,  in  a  sense  defined  precisely  later, 
to  some  PDL  formula.  Consequently,  any  concept  which  can 
be  expressed  in  B-PDL  can  also  be  expressed  (albeit  less 
concisely)  in  PDL.  We  prove  upper  and  lower  bounds  on 
the  time  complexity  of  the  satisfiability  problem  for 
B-PDL.  A  related  upper  bound  naturally  applies  to  any 
logic  which  can  be  efficiently  simulated  by  B-PDL. 

2.1.  B-PDL 

We  begin  by  giving  formal  definitions  of  sequential 
PDL  and  B-PDL.  Because  the  box  operator  of  PDL  only  looks 
at  the  first  and  last  states  of  a  path,  we  can  simplify 
the  semantics  of  programs,  letting  each  path  consist  only 
of  a  start  state  and  a  final  state.  A  program  represents 
a  set  of  such  paths,  which  is  just  a  binary  relation 


over  states 
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After  defining  B-PDL,  we  show  informally  that  B-PDL 
can  efficiently  simulate  certain  notions,  such  as 
concurrency,  which  really  require  that  programs  represent 
sets  of  paths  rather  than  binary  relations.  Given  the 
definition  in  Chapter  1  of  it  (a),  the  reader  should  have 
little  difficulty  in  extending  our  relational  definition 
of  B-PDL  to  a  definition  based  on  processes.  A  formal 
proof  that  concurrency  can  be  eliminated  from  B-PDL 
formulas  naturally  must  be  carried  out  in  a  version  of 
B-PDL  which  includes  concurrency,  and  whose  programs 
represent  processes  rather  than  relations. 

The  following  definition  of  PDL  is  taken  from 
[FL79 ]  .  A  PDL  structure  A  =  (U,  ZQ,  pq)  consists 

of 

U  =  a  set  of  states; 

=  a  set  of  basic  formulas; 
o 

Eq  =  a  set  of  basic  programs; 

<t>  ;  $  -*■  P(U)  ,  assigning  to  each  basic  formula  the 

oo 

state  where  it  holds; 

pQ:  lQ  -*•  P(UxU),  assigning  to  each  basic  program 
a  binary  relation  over  U. 

The  programs  E,  formulas  and  their  associated 
semantics  p:  I  P(UxU)  and  4>:  ♦  -*•  P(U)  are  defined 

inductively  as  follows. 
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Programs 

1.  A  e  ZQ  is  a  program  with  p (A)  =  pQ (A) . 

2 .  Let  a ,  £  e  E ,  pet. 

a)  an  £  c  E ,  Plan  £)  =  P(a)u  p(£); 

b)  a;6  c  I,  p(a;£)  =  p(a)  •  p(£) 

(composition  of  relations) ; 

c)  a*  e  E,  p(a*)  =  p(a)*  (reflexive 

transitive  closure  of  a 
relation) • 

d)  p?  e  Z,  p(p?)  =  (  (u,u)  :  u  e  <j>  (p)  } . 

Formulas 

1.  P  e  $  is  a  formula,  with  d>  (P)  -  <t>  (p)  . 

o  o 

2.  Let  p,q  e  a  e  Z. 

a)  »vp  e  4>,  4>(-vp)  =  P(U)  -  4>  (p)  - 

b)  p  v  q  c  ♦,  4>  (p  v  q)  =  <j)  (p)  u  <t>  (q)  . 

c)  <a>p  e  4>,  4>(<a>P)  *  (u:  3v((u,v)  e  p(a) 

and  v  c  <f>  (p) )  }  - 

Ua]p  is  defined  as  %<a>,vp.)  \ 

\ 

For  a  thorough  discussion  of  PDL,  see  [FL79] .  We 
generally  write  u  P  p  for  u  e  $(p).  The  symbols  a, 

=,  etc.  have  their  usual  meanings.  We  remark  that 
the  PDL  program  constructs  can  express  the  usual  if-then- 
else  and  while-do  constructs,  as 

if  p  then  a  else  b  «  (p?;a)  v  (<\.p?;b), 
while  p  do  a  ■  (p?ja)*;  *vp?. 
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We  proceed  now  to  B-PDL.  A  B-PDL  structure  contains, 
in  addition  to  all  of  the  members  of  a  PDL  structure,  a 
set  V  of  Boolean  variables.  If  x  is  a  Boolean  variable, 
then  x  is  a  formula,  and  x+(set  x)  and  x+ (reset  x)  are 


programs.  The  truth  of  a  formula  depends  not  only  on  a 
state  u,  but  also  on  a  set  s  containing  the  Boolean  varia¬ 
bles  which  are  true.  Programs  of  B-PDL  represent  relations 
over  U*P(V),  with  the  basic  programs  altering  only  the 
first  component,  and  the  set  and  reset  programs  altering 
only  the  second  component.  Using  separate  components 
achieves  the  desired  independence  of  variable  actions  and 
program  actions  which  is  necessary  to  write  the  sort  of 


interpreter  described  earlier.  The  sets  Eg  of  B-PDL 

programs  and  4>B  of  B-PDL  formulas,  along  with  their 

respective  semantics  pfi:  Efi  -*•  P((UxP(V))2)  and 

$  P  (U  x  p(V) )  are  defined  inductively  below. 

B 


Programs 


1.  A  e  E  is  a  program  in  En  with 
o  o 

Pg(A)  *  {((u,s),  (v,s) ) :  (u,v)  e  pQ  (A)  ,  s  £  V  }. 


2.  Let  x  e  V. 

a)  x-f  e  Efi,  PB(xt)  *  {((u,s),  (u, s ') ) :  s'  = 
s  w  {x} } ; 

b)  x4  e  Eg,  PB(x4)  «  {((u,s),  (u,s')):  s'  * 
s  -  {x}}. 


3.  a  u  8,  a;B  and  <x*  are  defined  exactly  as  for 


PDL.  If  p  is  in  ♦g,  then  p?  is  a  program,  with 

PB(p?)  =  { (  (u , s ) ,  (u , s ) )  :  (u , s )  c  $B(p)}. 

Formulas 

1.  P  e  ♦  is  a  formula,  with  $_(P)  =  <f>  (P)  *  P(V). 

0  D  0 

2.  x  e  V  is  a  formula,  with  4>D(x)  =  U  x  {s  £  V: 

D 

X  c  s} . 

3.  Let  P,q  c  *fi,  a  c  Zfi. 

a)  -vp  e  4>fi,  *B(^p)  =  UxP(V)  -  4>B(p); 

b)  p  v  q  e  *fi,  *B(pvq)  *  4>B (p)  u  4>B (q)  ; 

c)  <a>p  e  *B,  *B(<o>p)  *  { (u,s) :  (3  v  e  U, 

t  £  V)  ( (u,s)  ,  (v,t) )  e  Pfi(a)  and  (v,t)  e  <t>B  (p)  } . 

We  write  u,s*p  for  (u,s)  c  #B(p).  Below  is  a 
list  of  examples  demonstrating  the  power  of  B-PDL. 

1.  Integers  in  the  range  of  0  to  2n-l  can  be 
represented  using  n  Boolean  variables.  It  is  routine  to 
write  a  program  of  length  0(n)  which  adds  or  subtracts 
two  such  integers,  or  tests  them  for  equality,  or  deter¬ 
mines  which  is  larger.  Bounded  quantification  over  the 
range  10,  2n-l]  is  expressed  as  V x  ■  [x  ♦  random),  where 
x  *■  random  *  (x^+v  x^+) ;  ...»  (xntw  xn+) . 

2.  The  program  an  *  a;  a (n  times)  can  be 

abbreviated  using  Boolean  variables,  representing  integers 
up  to  n,  as  follows: 
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I  •*-  0; 

while  I  ^  n  do  (a;  I  ♦  I  +  1). 

This  program  has  length  £  ( cx )  +  0(log  n)  ,  which  may  be 
considerably  shorter  than  nl{a).  The  programs  xi ,  x* , 
x?  and  '''X?  used  in  the  while-loop  cannot  affect  the  state 
component  of  (u,s),  and  so  cannot  affect  the  running  of 
a,  so  long  as  none  of  the  variables  used  to  simulate  3 
appears  in  a. 

3.  Using  small  integers,  we  can  convert  a  flowchart 
of  n  boxes,  whose  boxes  contain  basic  programs  and  tests, 
to  a  length  0 (n  log  n  +  length  of  all  tests)  B-PDL  program 
The  program  has  the  form  S;  (  U  T)*;  F?,  where  S  sets  a 
counter  to  the  start  box;  T^  tests  if  the  counter  is  i, 
and  if  so  performs  the  action  in  box  i,  then  setting  i 

to  the  number  of  the  next  box;  and  P  tests  for  a  final  box 
The  length  of  the  Boolean  variable  simulation  of  a  flow¬ 
chart  is  generally  much  shorter  than  the  standard  PDL 
simulation,  which  must  be  exponential  in  n  in  the  worst 
case.  Decidability  of  PDL  with  flowchart  programs  follows 
from  the  decidability  of  B-PDL.  Pratt  lPr80]  gives  a 
single  exponential  time  decision  method  for  PDL  with 
flowcharts,  which  is  slightly  better  than  that  obtainable 
from  B-PDL. 

4.  Any  length  n  program  can  be  changed  to  the  form 

S;  (  U  T. )*;  F?  of  example  3,  with  a  factor  of  c  log  n 

i  x 

length  increase  for  some  constant  c.  Simulations  below 
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make  use  of  this  program  translation. 

5.  Subroutine  calls  to  bounded  depth,  with  small 
integer  parameters,  can  be  simulated  in  the  obvious  way. 

6.  Concurrency  can  be  simulated  by  allowing  more 
than  one  counter  to  be  active  at  a  time.  Each  pass 
selects  which  counter  is  to  be  used,  then  uses  it  in  the 
usual  way.  The  nondeterminism  inherent  in  concurrent 
programs  is  simulated  by  the  nondeterminism  which  is  built 
into  PDL.  This  simulation  treats  basic  programs  as 
indivisible  actions. 

7.  A  kind  of  labeling  already  is  in  use.  It  is  a 
simple  matter  to  allow  syntactic  labels  in  programs,  and 
to  test  for  being  at  a  given  label,  or  in  a  given  region 
(using  special  binary  encodings,  which  allow  for  testing 
only  the  most  significant  bits) .  We  can  also  test  which 
program  made  the  last  transition,  using  a  backup  counter. 

8.  Global  invariance  of  p  over  a  can  be  expressed 

in  B-PDL,  If  S;  (  U  T.)*;F?  is  an  equivalent  program  to 

i  1 

a,  then  "p  holds  throughout  the  execution  of  a"  is 
expressed  as  (S;  (  U  T^)*Jp,  where  the  termination  test 
has  been  omitted.  T^  executes  a  single  step  of  a. 

9.  We  can  test  whether  every  possible  execution 
sequence  of  a  program  must  obey  p  while  q,  which  says  that, 
as  long  as  p  holds,  q  holds.  If  o  is  represented  by 

St  (  U  T. ) * ;F? ,  then  o  satisfies  p  while  q  provided 

i  1 
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IS;  (q?;  U  T^KqSp). 

The  two  occurrences  of  q  can  be  reduced  to  one  by  the  use 
of  more  Boolean  variables. 

10.  B-PDL  simulates  "p  holds  at  the  next  instant" 
by  only  running  U  once.  The  operator  "until"  of 
IGPSS80]  is  shown  in  Chapter  4  to  be  expressible  in  terms 
of  while  and  "next."  Hence  in  B-PDL  we  can  express  that 
every  path  of  a  satisfies  p  until  q.  However,  B-PDL 
cannot  simulate  nexted  whiles  or  untils,  at  least  under 
the  meaning  of  IGPSS80] .  For  each  time  an  "until"  simu¬ 
lation  is  done,  B-PDL  requantifies  the  path  in  question. 
That  is,  B-PDL  can  only  simulate  branching  time  modalities, 
in  the  sense  of  [L80] . 

11.  Using  interpreters,  it  is  possible  to  "remember" 
as  program  counter  from  one  modality  to  the  next.  Con¬ 
sider  the  statement  "a  preserves  p,"  i.e.,  "a  never  changes 
p  from  true  to  false."  Letting  S ; (  U  T^) * ;F?  be  an 
interpreter  for  a,  "a  preserves  p"  can  be  expressed  in  B- 

PDL  as  (S)  ((  U  T.)*l  (p3  l(  U  T,)*]p).  In  words,  after 
i  1  i  1 

a  is  started  and  run  for  some  number  of  steps,  if  p  holds, 

then  continuing  a  for  any  more  steps  must  lead  to  a  state 

where  p  holds.  IS] U  U  T.)*]p  is  just  an  expression  of 

i  1 

global  invariance.  Pratt's  process  logic  [Pr78]  includes 
a  global  invariance  operator  {a)p.  But  {a)(p^{a)p) 
does  not  express  "a  preserves  p,”  for  the  nested  {a}p 
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restarts  o.  Pratt’s  logic,  as  well  as  Parikh's  SOAPL 
(Pa78]  and  Nishimura's  process  logic  [N79]  ,  have  no 
obvious  means  of  expressing  that  a  should  take  up  where 
it  left  off. 

In  IS]  I  (  U  T^)*](p=>((  U  T^)  *]p)  »  we  must  write 
(  U  T^)*  twice.  It  would  seem  more  reasonable  to  invent 
a  form  such  as  a*(](po  J]p),  where  a*  means  (S]  ,  and 
determines  all  T^,  and  {  U  T^)*,  or  its  semantic  equi¬ 
valent,  is  implicit  in  each  box.  Such  a  form  is  introduced 
in  Chapter  5. 

B-PDL  has  been  shown  to  be  a  rich  language,  and 
merits  study.  B-PDL  is  also  interesting  in  its  own  right 
as  PDL  with  very  simple  assignment  programs.  The  remainder 
of  this  chapter  is  devoted  to  proving  results  about  B-PDL. 
We  begin  by  proving  that  Boolean  variables  can  be 
eliminated  from  B-PDL  formulas.  We  then  give  a  character¬ 
ization  of  B-PDL  in  terms  of  PDL,  and  using  it,  show 

that  the  satisfiability  problem  for  B-PDL  is  decidable 

n 

in  nondeterministic  time  c  ,  where  n  is  the  length  of 
a  formula,  and  m  is  the  number  of  distinct  Boolean  varia¬ 
bles  which  it  contains.  Lastly,  we  prove  a  deterministic 
time  d  lower  bound  on  SAT (B-PDL). 

2.2.  Equivalence  of  B-PDL  and  PDL 

Since  B-PDL  formulas  can  reference  Boolean  variables, 
it  is  clear  that  PDL  cannot  strictly  express  as  much  as 


:  ■ _ JazL _ . 
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B-PDL.  But  if  the  initial  values  of  all  of  the  Boolean 

variables  are  fixed,  then  we  can  show  that  PDL  can 

express  just  as  much  as  B-PDL.  Precisely,  for  every  set 

s  of  Boolean  variables,  there  is  a  map  T  from  B-PDL 

s 

formulas  into  PDL  formulas  for  which  u,s  N  p  iff  u  ►  Tg(p) 

for  every  state  u  ,  and  every  B-PDL  formula  p. 

It  is  easy  to  see  how  to  translate  a  formula  of  the 

form  [a]p  to  PDL,  where  a  may  contain  programs  of  the 

form  x+,  x+,  x?  and  ^x?,  but  not  arbitrary  tests.  Begin 

by  constructing  a  nondeterministic  finite  automaton  F 

equivalent  to  regular  expression  a,  treating  xt,  xl ,  x? 

and  ^x?  as  symbols  of  the  alphabet.  Next,  if  a  contains 

m  distinct  Boolean  variables,  make  2m  copies  of  F,  one 

for  each  different  subset  of  the  Boolean  variables.  Arcs 

labeled  x+  and  x+  are  eliminated  by  turning  them  into 

X-arcs  between  copies  of  F.  x?  arcs  are  either  turned 

into  X-arcs  or  are  erased.  Finally,  the  resulting  finite 

automaton  is  converted  into  a  regular  expression.  We  see 

that,  if  a  is  of  length  n,  then  the  program  a'  which  we 

n2m 

construct  from  a  has  length  c  for  some  c.  The  upper 
n2m 

bound  c  is  very  poor  when  m=0,  in  which  case  our  trans¬ 
lation  causes  an  exponential  blowup  when  no  change  at  all 
is  necessary.  Nevertheless,  when  m  is  large,  we  conjec¬ 
ture  that  the  bound  is  tight.  A  double  exponential  lower 
bound  is  proved  in  [A80]  on  the  length  blowup  incurred 
in  translating  Boolean  variable  regular  expressions  into 
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ordinary  regular  expressions.  Hence  there  is  a  B-PDL 

formula  [a]P  which  is  not  equivalent  to  any  short  PDL 

formula  of  the  form  la']P.  That  does  not  preclude  the 

possibility  of  a  short  PDL  formula  equivalent  to  [a]P 

which  is  of  some  altogether  different  form.  The  best 

lower  bound  we  can  prove  is  single  exponential,  resulting 

from  translating  {A  jp  to  [A;  A]p. 

We  now  describe  the  translation  T  . 

s 

Theorem  2.1.  Let  p  be  a  B-PDL  formula  of  length  n, 

containing  m  distinct  Boolean  variables  x^,  ...»  xm,  and 

let  s  be  a  subset  of  (x.  ,  ...,  x  }.  There  is  a  map  T  : 

1  m  s 

4>_  -*■  such  that  for  every  state  u,  u,s  J*  p  iff  u  T  (p)  , 

D  S 

n  2m 

and  Tg(p)  has  length  at  most  0  (n  +  d  ),  for  some  d. 


Proof .  Let  i^j  be  the  kth  bit,  numbered  left  to 

right,  of  the  binary  representation  of  i.  Let  t^  be 

the  conjunction  of  Boolean  variables  and  their  negations 

which  is  true  iff  x.  . . .  x  is  the  binary  representation 

1  m 

of  i.  Let  s.  be  the  program  which  sets  x.  ...  x  to  the 
i  l  m 

integer  i.  The  vector  lpQ,  ...»  p2*r»_1 1  of  formulas 

2n'-l 

represents  the  formula  V  (t^A  p^).  The  matrix 

2m-l  2m-l 

[a..],m  ,m  represents  the  program  U  U  (t.?; 

2  *  1  i=0  j=0  1 

jj  *j)*  Define  the  length  of  a  vector  or  matrix  as  the 
length  of  its  longest  component. 
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We  inductively  define  translation  T  which  maps  every 
B-PDL  formula  into  a  vector  formula  whose  components 
contain  no  Boolean  variables,  and  which  maps  every  B-PDL 
program  into  a  matrix  program  each  of  whose  components 
contains  no  Boolean  variables.  Simultaneously  we  prove 
that  p  =  T (p )  and  p(a)  =  p{T{a))  in  every  structure. 

Tg(p)  is  just  the  component  of  T(p)  in  the  position 
corresponding  to  s.  Let  £  *  2m-l. 

P.  T (P )  =  [P,  ...,  P] ,  and  P  e  T(P)  is  trivial. 
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s'(,'vxm*iyi  (tiAPi>>  “  (>1m  *y,  “^Pi>»- 


1CI. 


5  (X^y^V  (t£  A  Pi)  )  A  (-UX  V  *  V  (t'Ap  )). 

icl0  icii 

Each  index  set  Iq  and  1^  covers  all  possible  subsets  of 

,  ,  so  \/  t'»  p.  and  V  tr  a  P, 
id  1  1  1  1 


X  -i  f  «  •  «  t  x 

1  m 


are  vector 


id, 


formulas.  By  induction 


=  (xm  v  V  (tjA^llA  N  v  V  (t.'  a  -vp.)  )  . 

id.  1  1 


m  '  id  ‘l* 

o 


By  the  tautology  (a  v  b)  a  (%a  v  c)  =  ('va  a  b)  v  (a  a  c)  , 


^p  =  (^x  a  V  (tr  A'vp  ))  v  (x  a  V  ( t r 


ieIo 

=  I^PD,  ....  'v'p2In_1] 
by  the  choice  of  the  index  sets. 


id 


A  )  >  . 


P  v  q-  Let  T (p)  =  [pQ,  . ..,  p&]  and  T(q)  = 

IqQ.  ....  q^l-  Then  T(pvq)  =  Ipov  qo'  •••» 
p^vq^l,  which  is  easily  shown  to  be  correct. 

.  p£]  and  T (a)  =  [a.^ j 1 2n  x  2m' 


+  =  v  and  •  =  where 
a  ❖  p  *  <a>p.  It  is  straightforward  to  show  that  T(<a>p) 
=  <a>p. 


<a>P.  Let  T(p)  =  [p  ,  .. 


then 


T(la)p)  =  la..]  (•) 


the  matrix-vector  product  with 
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T  is  defined  below  for  programs.  None  of  the  cases 
presents  any  difficulty,  and  correctness  proofs  are 
omitted. 


0 

h 


where  0  =  false?. 


=  £  8 ^  j  3  2m  x  2m '  w*iere 
true?  if  j(k)  =1  and 

i(h)  =  3(h)  f°r  311  h  *  k' 

false?  otherwise. 


V 


El- 


Similar  to  x,  +. 

k 

Let  T(p)  =  [pQ, 

IV  0 


Tip)?- 


. p  ^ ) •  Then 

,  where  0  =  false?. 


I .0  P*?J 

a  o  S.  T(au  8)  B  T(a)u  T(8)  (componentwise  union). 
a;  B-  T(a;B)  *  T(a)((,)  T(B)  (matrix  multiplication). 
o* »  T(a*)  *  T(a)*»  the  reflexive  transitive  closure 

of  T(g)  with  respect  to  the  (i)  product. 

Length  of  T (p) .  The  length  increase  due  to  the 
transitive  closure  for  T{a*)  dominates  the  others  by  far, 
provided  the  usual  algorithm  is  used  to  take  matrix 
products.  When  k  is  a  power  of  2,  the  transitive  closure 
of  a  k  x  k  matrix  can  be  computed  recursively  by  dividing 


.  ’....si; 
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the  matrix  into  four  square  submatrices,  and  applying  the 
formula  (see  [AHU74,  p.  2053). 


A 

b' 

* 

(A  +  BD*C ) *  (D  +  CA*B) *CA*" 

C 

D. 

D*C (A  +  BD*C ) *  (D  +  CA*B) * 

Let  s(k,£.)  be  the  length  of  where  l  is  the  length  of 

M  (i.e.,  the  length  of  its  longest  component).  A  simple 
substitution  argument  reveals  that  s(k,£)  <_  £s(krl)  . 

Let  s(k)  =  s(k,l).  The  length  of  the  product  of  two 
k*k  matrices  of  length  and  taken  by  the  standard 

multiplication  algorithm,  is  OtkU^  +  JL2)).  That  fact  and 
the  formula  for  M*  lead  to 


s  (k)  <  O  (k2  )  +  0  (k1* )  s  (k/2)  +  0(k“)s(k/2)2  for  k>l, 


from  which  it  can  be  shown  that 

s(k)  =  0(c^/k4)  for  some  c, 

d  for  some  d. 

Claim.  Length  (T(a))  and  length  (T (p ) )  are  both 
-m 

0(dn  ) ,  where  n  is  the  length  of  a  (or  p) ,  and  m>0  is 
the  number  of  distinct  Boolean  variables  in  a  (or  p) . 


Proof.  By  induction  on  the  length  of  a  or  p. 
Technically,  we  must  consider  each  case.  Since  a* 
dominates  all  others,  we  show  the  proof  only  for  a*, 
length  T(a*)  <  s(2n',  length  T(a)), 

<  length  T(a)»s(2in), 

<  c  d(n”1)2,t'  d2™  by  induction, 


The  length  part  of  theorem  2,1  follows  from  the  claim, 
and  separate  analysis  of  the  trivial  case  m=0.  1 

The  test  depth  of  a  formula  is  defined  as  the  depth 
of  nesting  of  the  "?"  operator,  with  formulas  of  test 
depth  zero  containing  no  tests.  Let  PDLn  be  the  PDL 
formulas  with  test  depth  at  most  n.  Berman  and  Peterson 
[BP78]  have  shown  that  PDLn+^  is  strictly  more  expressive 
than  PDL^.  We  see  by  inspection  that  our  translation  from 
B-PDL  into  PDL  does  not  increase  test  depth.  Hence 
B-PDLn+^  is  more  expressive  than  B-PDL.  That  contrasts 
with  the  case  of  star  depth,  any  program  being  expressible 
with  a  single  star  by  the  use  of  Boolean  variables  (except 
where  stars  must  be  nested  solely  as  a  consequence  of  test 
nesting) .  Cohen  [Co70]  has  shown  that  regular  expressions 
require  large  star  depth  for  full  expressive  power.  We 
conjecture  that  the  same  holds  for  PDL. 

2.3.  A  characterization  of  B-PDL 

Rather  than  defining  B-PDL  separately  from  PDL,  it  is 
possible  to  define  B-PDL  as  ordinary  PDL,  subject  to  certain 
axioms  concerning  the  behavior  of  xt  and  x+.  Axioms  B1-B4 
completely  define  B-PDL.  While  B1-B4  represent  a  step  in 
the  direction  of  obtaining  a  complete  axiomatization  of 
B-PDL,  B1-B4  are  not  the  usual  type  of  axiom,  being 
inexpressible  in  PDL.  Consequently  B1-B4  can't  be  directly 


xmm m 
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used  to  either  decide  or  prove  the  validity  of  a  B-PDL 
formula  by  falling  back  on  the  methods  used  for  PDL. 

Nevertheless,  B1-B4  can  be  used  to  extend  theorems  about 
PDL  to  B-PDL.  In  B1-B4 ,  xt  and  xi  are  considered  special 
basic  programs  associated  with  the  basic  formula  x.  Those 
basic  formulas  which  have  set  and  reoet  programs  associated 
with  them  are  called  Boolean  variables.  A  PDL  structure 
which  satisfies  B1-B4  is  called  Boolean  with  respect  to 
the  set  V  of  Boolean  variables  and  the  map  which  assigns 
xt  and  xi  to  x,  or  simply  Boolean  when  V  and  the 

map  are  understood.  ! 

i 

i 


Bl.  The  following  hold  at  every  state,  for  every 

Boolean  variable  x  e  and  every  basic  formula  or 

Boolean  variable  P  t  4>  -  (x). 

o 

a)  <xt>true, 

b)  <x+>true, 
c}  (x-t]x, 

d)  (x+l'vx, 

e)  P  »  lx+]P, 
t)  P  »  Ix+jP. 
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B2.  a)  u  ►  x  ((u,v)  c  p(xt)  ^  u=v)  , 
b)  u  >■  ''■oc  =>  ( (u ,  v)  c  p  ( x  4  )  — ^  u=v)  . 

B3.  a)  p(xt;x4)  =  p  (x4 ) , 
b)  p (x4 ; Xf )  =  P  (x4 ) . 

B4 .  For  all  A  e  E  -  (xt,  x4  }, 

a)  P (A; xf )  =  p(xf;A) , 

b)  P (A; x4 )  =  p  ( x  4  ;  A ) . 

Bl  expresses  the  behavior  of  xt  and  X4  relative  to 
the  basic  formulas  (including  x) ,  and  requires  no  justi¬ 
fication.  It  is  clear  that  Bl  alone  cannot  completely 
define  B-PDL.  For  if  it  did,  it  would  be  possible  to 
decide  the  satisfiability  of  any  B-PDL  formula  p  by  merely 
conjoining  appropriate  instances  of  Bl  to  p,  and  testing 
whether  the  result  is  a  satisfiable  PDL  formula,  violating 
the  lower  bound  on  SAT (B-PDL)  which  is  proved  later.  B2 
and  B3  are  required  to  make  a  reduction  of  a  Boolean 
PDL  model  isomorphic  to  a  corresponding  B-PDL  model . 

Whether  B2  and  B3  are  required  to  define  SAT (B-PDL)  is 
questionable.  B4  is  a  statement  of  independence  of  xt 
and  x4  from  every  other  basic  program.  It  is  the  indepen¬ 
dent  action  of  x+  and  A  t  {xf,x4}  which  is  difficult  to 
enforce  using  only  expressions  which  can  be  written  in  PDL. 
The  following  consequences  of  B1-B4  will  prove  useful. 

Each  is  stated  and  proved  only  for  xt,  though  dual  state¬ 
ments  for  x+  also  hold. 
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B5.  If  u  ►  x  then  (u,u)  e  p(x"M. 

Proof.  Immediate  from  B2  {a) ,  B2(a).  I 

B6.  Suppose  u  b  'vx.  Then  there  is  a  v  /  u  such  that 
(u » v)  e  p(x  +  )  and  (v,u)  e  p(x+). 

Proof.  By  B5  (u,u)  e  p(x+)  =  p(x+;x4),  which  means 
there  is  a  v  such  that  (u,v)  c  p(xt)  and  (v,u)  c  p(x4).  By 
B1  (c) ,  v  ►  x,  so  u  j  v.  * 

B7.  (Determinism)  For  every  u  there  is  at  most  one 
v  such  that  (u,v)  c  p(xt). 

Proof.  If  u  h  x,  B7  follows  immediately  from  B2 . 
Suppose  u  ►  'vx.  By  B6,  there  is  a  v  such  that  (u,v)  c  p(xt) 
and  (v,u)  e  p(x+)  and  v  ►  x. 

(u,v')  e  p(x  +  )  =3  (v,v')  e  p(x4;x+)  by  (v,u)ep(xl), 

<v,v')  e  P(xt)  by  B3, 

v  *  v'  by  B2,  since 

v  ^  x.  I 

B8.  (Reversibility)  If  (u,v)  e  P(xt)  and  u  ¥  v 
then  (v,u)  e  P(x+). 

Proof.  Immediate  from  B6  and  B7.  ® 

B9.  If  A  c  I  -  (x+,x*)  then  x  =>  (A)x  and  %x  =»  (A)'vx. 
o 

Proof.  We  prove  x  =»  lA]x  only. 


>*4  ■ 
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u  k  x  a  (u,v)  e  p(A)  =3 


(u,u)  e  p(x-M  a  (u,v)  t  p(A) 

by  B5 , 

(u,v)  e  p(xt ;A) , 

(u,v)  c  p(A;x-f)  by  B4  , 

3  v'  (v'.v)  c  p(xt) , 


=3  v  K  x 


by  Bl.  I 


Theorem  2.2.  Every  B-PDL  formula  with  Boolean  variables 
V  is  satisfiable  iff  it  is  satisfiable  by  some  Boolean 
PDL  structure  (i.e.,  one  obeying  B1-B4)  with  Boolean 
variables  V. 

Proof.  (  )  Given  a  B-PDL  structure  F  =  (U,  4>o, 

I0.Vf4>  fP  )  such  that  8,u,s  ►  p,  define  a  PDL  structure 

A  «  (U  X  P  (V)  ,  4>Q  u  V,I0  v  {x+,x4:  x  e  v},  ,  where 

&>'  and  v'  are  defined  in  the  obvious  way.  It  is  easy  to 
o  o 

verify  that  A  satisfies  B1-B4,  and  that  A,  (u,s)  ►  p. 

(  <=•  )  Suppose  A  *  (u'*0rE0'$0'p0>  obeys  B1-B4 ,  and 
A,u  ►  p.  Define  the  equivalence  relation  =  over  U  by 

u  =  v  iff  there  is  a  sequence  d^,  ...,  dn»  n  ^  0,  of 
set  and  reset  programs  such  that  (u,v)  e 
P(d1;  . dfl) . 

=  is  symmetric  by  B8,  and  is  clearly  reflexive  and  transi¬ 
tive.  Define  B-PDL  structure  8  ■  (tJ,^0-V,E0-{xt,x+:xcV} , 

v.?0.po)  fcy 

u  »  {v:  u= v } , 


38 


U  -  {u:  u  £  u) , 

i>0  (P)  =  (u:  u  e  4>q  (P)  } , 

Pq (A)  =  { (u,v) :  (u,v)  c  p (A) } . 

Claim.  Let  =  {x  E  V:  u  K  x}.  For  all  p  and  a, 

1)  A,u  b  p  iff  B,u,Su  ►  p, 

2)  ( u ,  v )  e  p (a)  iff  ( (u#Su) , (v,Sv) )  e  p(a). 

Once  the  claim  is  proved,  we  are  finished  proving  theorem 
2.2.  The  claim  is  proved  by  simultaneous  induction  on 
formula  and  program  length.  We  need  a  lemma. 

Lemma  2.3.  If  u  =  v  and  S u  =  then  u=v. 

Proof.  Let  R  be  a  sequence  of  set  and  reset  programs 
such  that  (u,v)  e  p(R).  Using  B3  and  B4 ,  R  can  be  reduced 
to  contain  at  most  one  set  or  reset  program  per  variable. 

If  Su=Sv,  the  set  or  reset  program  for  x  in  R  cannot  change 
the  value  of  x.  By  repeated  application  of  B2,  u=v.  f 

Proof  of  Claim. 

P  c  *  -V.  A,u  *  P  <=>  u  e  A  (P) , 

0  0 

u  e  (P)  from  B1  (e  ,f  )  , 

0 

^  B«uf ^  P • 

X  C  V.  A#u  ►  X  £3  U  E  $Q(x), 

G=)  x  e  Su  by  definition 

of  Su. 

&  B,urSu  b  x. 
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,  p  v  q .  Trivial. 

<a >p .  A,u  ►  <o>p  4=^  3v((u,v)  c  p(a)  a  A,v  h  p)  , 

***  ^  3  v  ( { (u,S  ) ,  (v,S  ))  e  "p  (a) 

u  v 

a  8,v,Sy  N  p) 

by  induction, 

=3  8,u,Su  K  <a>p. 

Conversely , 

8,u,Su  ^  <a>p  3v,s(((u,Su),(v,s))  e  p(cx) 

a  B, v, s  ^  p) . 

It  is  possible  to  find  v-*  =  v  such  that  Sy*=  s,  by  running 
appropriate  set  and  reset  programs  from  v, 

=>  3  v'(((u,Su), (v\Sy.))  t  p(a)  A  B,v',Sy.  f  p) , 

^  A,u  ►=  <a>p  by  (*). 

A^xt .  (u,v)  e  pQ(A) 

=3  ( (u, Su) , (v, Su) )  e  p^(A)  and  Su=Sy  by  B9 , 

^  ((u,Su) , (v,Sv))  e  p^(A) . 

Conversely, 

((u,Su) , (v,Sv))  e  P^(A) 

=5  Su*Sv  and  *  3  u'  =  u,v'  =  v)((u',v')  e  p (A) ) , 

ZO  (u,v)  e  p{R1;A;R2)  for  some  sequences  RlfR2 

of  sets  and  resets, 

=3  (u,v)  e  pJR^RjjA)  by  B4, 

— ^  3  w(u  =  w  a  (w,v)  e  p (A) ) , 

=>  u=w a Sw«Sv  a  (w,v)  t  P (A)  by  B9, 

=3  (u,v)  c  p  (A)  by  Su«Sy  and  lemma  2.3. 
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x* ♦  (u,v)  e  p(x  +  ) 

u  =  vaS  =  Su  {x}  by  B9,  B1  (c)  , 

v  u 

=>  ( (u,  Su) , (v,  Sv>  c  p(xt) . 

Conversely, 

( (u,Su) , (v,Sv) )  e  p(x+) 

=>  Sv=Su  u  (x)^=v. 

By  Bl(a)  there  is  a  w  such  that  (u,w)  e  p(xf), 

=3  sw  =  su  0  {x}  =  Sv  a  w  =  u, 

^0  w  =  v  by  lemma  2.3, 

^  (U,V)  E  P(X+) . 

a  u  8 .  Trivial. 
a ;  8 .  {  )  Trivial. 

(<=  ) 

( (u,Su) , (v,Sy) )  c  p(a;8) 

=5  3  w,s(  (  {u,Su),(w,s)  )  E  p  (a)  and  ( (w,s) , (v,Sy) ) 

e  P{8)). 

Choose  w'  =  w  such  that  Sw*  =  s.  This  is  possible  by 
Bl(a-d) . 

3  w' ( (u,Su> , (w',Sw-)) c  p(Q)  and  (w',Sw-) , (v,Sy) 
e  P (8) ) , 

^  (u,w')  e  p(a)  (w v)  c  p(8)  by  induction, 

Z}  (u,v)  c  p(a;8) 

a* .  p(a*)  ■  U  p(a)n.  We  show  by  subinduction  on  n 

n 

that  (u,v)  c  p(a  )  iff  ({u,  Su) ,  (v,  Sy))  e  p(an). 
n«0.  (u,v)  c  p(a°)^u  «  v, 

Uu,Su),  (v,Sv))  E  p(a°). 
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n=l .  Direct  from  the  main  induction  hypothesis,  for 
a  is  shorter  than  a*. 

n>l .  (u,v)  c  p(an) 

=>  3  w( (u,w)  c  p  (a)  and  (w,v)  c  p (an_i  1  )  , 

3  w(  (  (u,S  )  ,  (w,S  )  )  c  p  (a)  and  ((w,S  ), 
u  w  w 

(v,Sv))  c  p  (an  by  the  subinduction 

hypothesis , 

^  ( (u#Su) , (v,Sy) )  c  p(an). 

Conversely , 

( (u,Su) , <v,Sv) )  e  P(an) 

=£  ( 3  w,s) ( ( (u,Su) , (w,s) )  c  p(u)  and 

((w,s)  (v,Sv))  c  P(an-1))  . 

Choose  w'  =  w  such  that  S.  *  *  s.  Then 

w 

3w'(((u,Su),(w',Sw,))  e  p  (a)  and 

((w\Sw.),  (v,  Sv))  e  PCcx"'1) 

3w'((u,w ')  e  p(o)  and  (w',v)  e  p(an  1)) 

by  the  subinduction 
hypothesis , 

=>  (u,v)  c  p  (an) . 

£?.  (u,v)  e  p(p?) 

u  *  v  and  u  ^  p, 
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u  =  v  and  u,Su  k  p  by  induction, 

=*  ( (u,Su) , <v,Sy) )  c  p (p?) 

Conversely , 


( (u,Su) , (v,Sv)  c  p  (p?) 

u  =  v  and  Sy  =  S y  and  u.S^  b 

u  =  v  and  u,£  p 
u 

=P  u  =  v  and  u  h  p 
=$  (u,v)  e  p (p?) . 


P. 

by  lemma  2.3, 
by  induction 


I 


2.4.  An  upper  bound  on  the  complexity  of  B-PDL 

By  virtue  of  theorem  2.1  we  already  have  a  method  of 
deciding  satisfiability  of  B-PDL  formulas:  translate  to 
PDL ,  and  apply  Fishcer  and  Ladner’s  [FL79]  decision  pro¬ 
cedure  for  PDL.  The  resulting  procedure  requires  nondeter- 
ministic  triple  exponential  time  in  the  worst  case.  We 
show  here  that  we  can  do  better  by  one  exponential.  In  the 
next  section  we  prove  a  deterministic  double  exponential 
time  lower  bound  for  B-PDL,  indicating  that  further 
improvement  of  the  upper  bound  is  limited  to  making  it 
deterministic  instead  of  nondeterministic. 

We  extend  Fischer  and  Ladner’s  proof  of  the  decida¬ 
bility  of  PDL  to  Boolean  PDL.  By  theorem  2.2,  our  decision 
method  also  works  for  B-PDL.  A  direct  proof  is  also  possible,  follow¬ 
ing  very  closely  the  proof  for  PDL. 

In  outline,  Fischer  and  Ladner's  proof  goes  as  follows:  Given 
a  model  A  satisfying  P,  we  define  a  new  model  X  whose  states 
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are  equivalence  classes  of  states  of  A  under  a  certain 
equivalence  relation.  X  is  shown  to  have  a  bounded  number 
of  states,  and  to  satisfy  p.  A  decision  procedure  for  PDL 
is  to  guess  a  model  of  bounded  size,  and  to  test  whether 
it  satisfies  p. 

To  extend  the  method  to  Boolean  PDL,  we  must  only  show 
that  X  is  Boolean,  provided  A  is  Boolean.  In  order  to 
make  X  Boolean,  we  must  strengthen  the  equivalence  rela¬ 
tion  used  by  Fischer  and  Ladner.  In  so  doing,  we  create 
more  equivalence  classes,  and  so  increase  the  time  required 
to  decide  p. 

Theorem  2.4.  Let  p  have  length  n  and  contain  m 

distinct  Boolean  variables.  Given  any  structure  A  = 

(U,  4>q  ,  ,<{>o  ,  pQ)  satisfying  p  at  some  state  u,  and  which  is 

Boolean  w.r.t.  to  variable  set  V  4  ,  there  is  a  struc- 

o 

ture  X  =  (U,$o,Io,i^’,P^)  which  satisfies  p  at  state  u,  and 

which  is  Boolean  w.r.t.  to  V,  and  which  has  at  most 
n3m 

c  states  for  some  constant  c. 

Proof.  Following  Fischer  and  Ladner,  we  define  the 
closure  cl(p)  of  a  formula  p  to  be  the  smallest  set  satis¬ 
fying  the  following: 

1.  p  t  dip). 

2.  p  v  q  c  cl(p)  =>  p ,q  C  Cl(p). 

3.  'v.p  c  cl(p)=3  p  c  cl(p). 
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4.  <A>p  c  cl(p)  p  E  cl(p)  for  A  c  I  . 

5.  <q?>p  e  cl (p)  =3  q , p  £  cl(p). 

6.  <a  v  g>  p  c  cl{p)  <a>p,<0>p,p  c  cl  (p)  . 

7.  <a;6>p  e  cl  (p)  =3  <a> < P >p , < 6 >p  e  cl (p) . 

8.  <a*>p  £  cl(p)=><a><a*>p,p  e  cl(p). 

Fischer  and  Ladner  show  that  if  p  has  length  n,  then  cl (p) 
has  at  most  n  members.  Their  equivalence  relation  over  U 
is  defined  by  u=^v  iff  (  V  q  £  cl (p) ) (u  ^  q  iff  v  ¥  q). 

We  strengthen  that  equivalence  relation  to 

u^v  iff  (  V  q  e  eel  (p)  (u  ^  q  iff  v  1=  q) 

where  ecl(p),  the  extended  closure  of  p,  is  defined  as 
follows : 

Let  D  =  {d, ;  d  :  d.  is  either  x.+  or  x.+  or 

1  mi  ii 

is  missing,  for  i=l ,  in}.  D  has  3111  members. 

ecl(p)  *=  { <d>q :  q  E  cl  (p)  ,  d  E  D}  . 

By  definition,  <X>p  is  p. 

Define  X  *=  (U,4>  , I  as  follows: 

o  o  o  o 

u  *=  {v:  u=2v}; 

U  ■  {u:  u  £  U} ; 

?  (P)  *  {u:  u  K  P } ; 
o 

PC(A)  «  { (u,V) J  (U,V)  E  P0(A)). 
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By  the  fact  that  eel  (p)  has  at  most  nl™  members,  we 

-  n3ri 

see  that  U  has  at  most  2  members. 

Lemma  2.5.  For  all  q  c  eel  (p) ,  A,u  P  q  iff  X,u 

>  q. 

Proof .  Fischer  and  Ladner  prove  lemma  2.5  for  all 
q  e  cl (p)  based  on  the  weaker  relation  =^.  Their  proof 
works  for  any  stronger  equivalence  relation.  Lemma  2.5 
is  extended  to  eel (p)  as  follows: 

u  h  <d^ ;  . . . ;  d^>q 

(  3  v.,  ...»  vk)  (  (u, v^  e  p  (d.  )  a  . .  .  a  (vk-1,  vR) 

£  p (dk) a  vk  ^  q) , 

(  3  v^ ,  •  •  • ,  vk)  ( (u» v^)  £  p  (d1)  a  ...  a  ( vk_ ^ ,  vk ) 
c  p  (dk)  A  vR  h  q) 

by  lemma  2.5  for  cl (p) , 

^  u  ^  <d^;  ...;  dk>  q 

Conversely,  suppose  u^<  d^;  dk  >  q.  Then  there 

must  be  a  chain  u  =  v^  -*■  w^  =  v2  -*■  ...  -*■  wk-1  =  vk  -*■ 
where  arrows  mean  (v.  ,w.)  e  p(d.),  and  w.  q.  By  lemma 

1  1  X  iv 

2.5  for  cl  (p) ,  wk  ^  q.  Hence  vk  ^  <dk>  *3*  Since  <dk>q 
is  in  ecl(p),  and  wk_^  =  vk,  wk_^  h  <dk>q.  Repeating  that 

•  • • »  dk >q .  I 


reasoning,  we  see  that  u  K  <d^? 
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All  that  is  left  is  to  show  that  ^  obeys  B1-B4.  We 

may  assume  without  loss  of  generality  that  every  member 

of  4>  appears  in  p.  Then  cl(p)  contains  every  member 
o 

of  $  .  Let  =  be 

o  2 

Bl. 


a)  For  every  u, 

3v((u,v)  e  p(x*)>  by  Bl(a)  in  A, 

(u,v)  e  p(x  +  ). 


b) 

Dual 

to 

(a)  . 

c) 

(u,v) 

e 

P  (xt) 

( 

3u'  = 

u,v' 

-  V) ( (u" 

,v')  e 

P (xt) ) 

V 

'  =  V 

and  v 

'  f3  X 

by 

Bl(c) 

in  A, 

v 

K  x 

by 

lemma 

2.5. 

d) 

Dual 

to 

(c)  . 

e) 

(u,v) 

e 

p  (x  +  ) 

and 

u  H  P 

(  : 

III 

\ 

p 

m 

u,v' 

=  v)  ((u' 

»v')  c 

P  (x+) 

and 

P) 

by 

lemma 

2.5, 

v  ' 

=  v  and  v ' 

►  P 

by 

Bl(e) 

in  A, 
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=£  v  ►  P  by  lemma  2.5. 

f)  Dual  to  (e) . 

B2 .  We  verify  part  (a)  only, 
u  k  x  and  (u,v)  c  p(xt) 

(  3  u  ”  =  UjV"*  =  v)  ((u",v')  e  p(xl)  and 
u'  H  x)  by  lemma  2.5, 

u'  =  v'  by  B2  in  A, 

^  u  =  u'  =  v'  =  v. 

B3.  We  verify  part  (a)  only.  Consider  a  state  u. 
We  show  that  (u,v)  e  p{x4)  iff  (u,v)  e  p(xf;x4).  There 
are  two  cases. 

Case  1.  (u  \f  x)  . 

u  ►  x  and  (u,v)  e  F(x+) 

(u,u)  e  p(x  +  )  and  (u,v)  c  Mx  +  ) 

by  B5  in  X, 

=>  (u,v)  e  F(x+ ;x+)  . 

Conversely, 

u  H  x  and  (u,v)  e  p’Cxt.'X*) 

3w((u,w)  e  p(x+)  and  (w,v)  e  p(x4)), 

w  =  u  by  B2  in  X, 

=>  (u,v)  c  p (x4) . 
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Case  2.  (u  H  ) 

(u,v)  e  Mx+) a  u  h  ^x 


U  =  V  a  U  N  %X 

by  B2  in 

A, 

U  *=■  ^x 

by  lemma 

2.5, 

(U|U)  e  P(x4) 

by  B5  in 

A, 

=> 

(u,u)  e  p(x+;x+) 

by  B3  in 

A, 

=> 

3  w((u,w)  c  p<xt)  and 

(w,u) 

c  P (x4) ) , 

3  w((u,w)  e  p(x+)  and 

(w,u) 

e  P  (xi) ) , 

(u,u)  e  p  (xt;x4) , 

(u, v)  e  p  (xt ;x+) . 

by  u  =  v, 
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For  the  converse  we  need  to  prove  a  lemma. 

Lemma  2.6.  Let  d  be  either  xf  or  x4 .  If  (u,v)  e  "p(d) 
and  (u,w)  e  "p(d)  then  v  =  w. 

Lemma  2.6  is  a  statement  of  determinism  of  xl  and  x4 
in  X.  We  can't  use  B7  directly,  since  the  proof  of  B7 
used  B3. 

Proof.  We  show  that,  for  every  q  e  ecl(p),  v  N  q 
O  u  N  <d>q  O  w  ^  q,  thus  showing  that  v  =  w.  By  symmetry 
we  need  only  show  v  ►  q  u  ►  <d>q. 

( )  v  ^  q  u  N  <d>q  because  (u,v)  e  ”p(d)  . 

(<=)  Suppose  u^<d>q.  For  any  q  in  ecl(p)  it  is 
easy  to  show  that  a  formula  which  is  equivalent  to  <d>q  in  all 
Boolean  nodels  is  also  in  ecl(p) .  By  that  fact  and  lama  2.5  we  have 
u  k  <d>q, 

— \  n  ►  [d]q  by  determinism  of  d  in  A, 

=3  Vv'((u,v')  e  P(d)=3v>q), 

=3  Vv'((u,v')  e  P{d)=)v'^q)  by  lemma  2.5. 

But  there  is  a  v'  =  v  such  that  (u,v')  e  P(d),  so  v*v'^  q.  I 

To  continue  the  proof  of  B3,  suppose  (u,v)  e  "p(xt;x4) 
and  u  *  mc.  Then  there  must  be  a  w  such  that  (u,w)  e  *p(xt) 
and  (w,v)  c  "p(x  +  )*  BY  the  definition  of  'p,  there  must  be 
u2  =  u,  w1  =  w,  w2  =  w  and  v2  =  v  such  that  (u^w^  c  p(xt) 
and  (w2,v2)  c  p(x+).  By  B6  in  A  there  is  a  v3  f  u  such  that 
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(u,w3)  e  p(x+)  and  (w3,u)  c  p(x*).  Similarly  there  is  a 
v3  such  that  (w3,v3)  e  p(x+).  Taking  each  known  member 
of  P(xt)  and  p(x+)  into  its  bar  gives 
(u,w3)  e  p (xt)  , 

(urwi)  e  p  (x+) , 

(w2 , v2)  e  p (x+) , 

(w3,u)  e  P (x+) , 

(w3,v3)  e  p  (x  +  )  . 

By  lemma  2.6  and  the  fact  that  u  =  u^,  we  get  =  w3 . 

By  another  application  of  lemma  2.6,  using  w  =  =  w2  = 

w3,  we  get  v  =  v2  =  v3  =  u.  By  B5  in  A,  (u,v)  e  p(x-0. 

B4.  We  verify  (a)  only.  Suppose  (u,v)  e  p(A;x+). 
Then  there  must  be  u'  =  u,  w' ,  w"  5  w'  and  v"  =  v  such 
that 

(u',w')  e  P  (A)  , 

(w",v")  e  p(xt). 

By  Bl(a)  in  A,  we  can  find  V* such  that  (w',v')  e  p(xt). 
By  determinism  of  xt  in  v'  *  v"*=  v. 

(u',w')  e  p (A)  and  (w',v')  e  p(xt) 

(u'#v')  e  p (A;x+) , 

(u',v')  c  p(xt;A)  by  B4  in  A, 

=>  3z((u',z)  c  p<xt)  and  (z,v')  e  p  (A) ) , 

3  ?((!',!)  c  p(x+)  and  (z,v')  e  p(A)) 


^  (U',V*)  £P(xtiA), 


f 
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<u,v)  e  p<xt;A) . 

The  converse  is  proved  in  a  similar  manner.  Its  proof  is 
omitted . 

This  concludes  the  proof  that  J  is  Boolean,  and  the 
proof  of  theorem  2.4.  I 

Theorem  2,7.  There  is  an  algorithm  which  recognizes 

_m 

SAT (B-PDL)  and  which  runs  in  time  at  most  cn  on  an  input  of 
length  n  containing  n  distinct  Boolean  variables,  for  some 
constant  c. 


Proof.  A  decision  procedure  for  B-PDL  can  guess  a 

n3m 

structure  of  size  at  most  d  ,  where  d  is  the  constant  of 
theorem  2.4.  It  is  left  to  the  reader  to  verify  that  it  is 
possible  to  test  that  the  structure  is  Boolean  and  that  it 
satisfies  p  in  time  polynomial  in  the  number  of  states  in 
the  structure.  The  running  time  of  this  algorithm  is 
d^n^  for  some  k.  Let  c  *  d^.  * 


The  procedure  just  presented  has  two  serious  short¬ 
comings.  For  one  thing,  it  is  nondeterministic.  A  deter¬ 
ministic  procedure  based  on  it  would  have  a  longer  running 
time  by  an  exponential.  For  another,  it  takes  the  worst 
case  time  on  all  formulas.  Pratt  [Pr78]  presents  a  tableau 
method  for  PDL  which  is  deterministic  and  which  takes  far 
less  than  the  worst  caBe  time  on  some  inputs.  The  tableau 
method  constructs  a  model  for  p,  as  our  method  does,  but 
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instead  of  blindly  searching  for  a  model,  the  tableau  method 
uses  p  to  guide  the  construction  of  a  model  for  p.  It 
appears  that  conditions  B1-B4  can  be  enforced  on  the  model 
without  affecting  the  rest  of  the  construction  procedure. 
When  Pratt’s  method  calls  for  the  creation  of  a  new  state, 
the  extension  to  Boolean  PDL  creates  2m  new  states,  as¬ 
sociating  a  different  subset  of  Boolean  variables  with 
each.  We  do  not  go  into  detail  here  on  the  extension  of 
Pratt's  tableau  method  for  Boolean  PDL,  or  attempt  to  prove 
the  method  correct. 

2.5  A  lower  bound  for  B-PDL 

This  section  is  devoted  to  proving  that  SAT (B-PDL) 

n2m 

is  not  solvable  in  deterministic  time  c  for  some 
constant  c  >  1.  The  proof  follows  that  of  Fischer  and  Lad¬ 
ner  for  PDL.  An  outline  of  the  method  of  proof  is  as 
follows:  We  show  that  B-PDL  formulas  can  efficiently 
simulate  computations  of  an  n2m  space  bounded  alternating 
Turing  Machine,  thus  proving  that  SAT (B-PDL) is  at  least 
as  difficult  as  the  acceptance  problem  for  such  machines. 

By  results  of  Chandra  and  Stockmeyer  [CS76]  and  Kozen  (Ko76) 
we  can  translate  an  alternating  space  bound  into  a  deter¬ 
ministic  time  bound  one  exponential  larger.  In  order  to 
complete  the  proof,  we  need  a  result  of  abstract  complexity 
theory  which  amounts  to  a  compression  theorem  for  functions 
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of  several  variables.  As  we  are  not  aware  of  such  a 
theorem  in  the  literature,  we  prove  it  here. 

For  completeness,  we  give  a  definition  of  an  alter¬ 
nating  Turing  Machine,  taken  from  [FL79] .  A  one-tape  ATM 

is  a  seven-tuple  M  =  (Q,A,r,b,6,q  ,U)  where 

o 

Q  is  a  set  of  states, 

A  is  the  input  alphabet, 

T  is  the  tape  alphabet, 

be  T  -  A  is  the  blank  symbol, 

6  £  (Q  x  T)  x  (Q  x  r  x  {l,R})  is  the  next  move 
relation, 

U  9  0  is  the  set  of  universal  states, 

E  =  Q  -  U  is  the  set  of  existential  states. 

A  configuration  is  a  member  of  T*  Q  T+.  A  universal 
configuration  is  a  member  of  r*  U  r+,  and  an  existential 
configuration  is  a  member  of  r*  fe  T+.  B  =  x'q'o'y'  is  a 
next  configuration  of  a  =  x  q  o  y  if  for  some  i  e  r, 
either 

1)  (q#°#q-  »t  ,L)  e  6  and  x'o'  *  x  and  y'  =  ty, 
or 

2)  (q,o,q',t ,R)  c  6  and  x'  *  xt  and  o'y'  *  y  or 

(y  *  y'  *  *  and  a '  «  b) . 

A  computation  sequence  is  a  sequence  c^,  of 

configurations,  where  ai+1  is  a  next  configuration  of  ai 
for  .  A  trace  of  M  is  a  set  C  of  pairs  ia,t),  where 

a  is  a  configuration  and  t  cN,  such  that 
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1)  if  (a,t)  e  C  and  a  is  a  universal  configuration, 
then  for  every  next  configuration  g  of  a ,  there  is  a 
t'<t  for  which  (g,t*)  c  C; 

2)  if  (a,t)  e  C  and  a  is  an  existential  configuration, 
then  there  is  some  next  configuration  0  of  a  and  t'<t 

for  which  c  C. 

The  set  accepted  by  M  is 

L (M)  =  (x  c  A*:  there  is  a  trace  C  of  M  and  a 
t  e  IN  such  that  (qQxft)  e  C) . 

Machine  M  accepts  x  i£  space  s  if  there  is  a  trace  of 
M  containing  qox,  each  of  whose  configurations  uses  at 
most  s  tape  cells. 

Definition.  (Fischer  and  Ladner)  A  simplified 
trace  is  a  set  of  configurations  which  is  equal  to  the 
set  of  first  components  of  some  trace. 

Lemma  2.9.  (Fischer  and  Ladner) .  If  M  never  repeats 
a  configuration,  thenL(M)  «=  {x  e  A*:  there  is  a  simplified 
trace  of  M  which  contains  qQs}.  I 

We  now  show  that  B-PDL  can  efficiently  simulate  space 
bounded  alternating  Turing  machines.  Let  <n,m>  be  a 
standard  encoding  of  the  pair  (n,m)  in  alphabet  A. 

Lemma  2.10.  Let  K  &  A*  be  accepted  by  an  alternating 
Turing  machine  M  which  accepts  every  <n,m>  c  K  in  space 
n2m.  There  is  a  mapping  f  from  A*  into  B-PDL  formulas  such 
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that  for  every  pair  <n,m>, 

i)  <n,m>  e  K  iff  f(<n,m>)  is  satisfiable, 

ii)  f(<n,m>)  has  length  0(n+m)  and  contains 

0(m)  distinct  Boolean  variables, 

iii)  f(<n,m>)  is  computable  in  time  polynomial  in 

n+m. 

Proof .  We  may  assume  without  loss  of  generality  that 

M  never  repeats  a  configuration  on  any  computation  sequence; 

n2rn 

for  there  must  be  some  j  such  that  j  bounds  the  number 
of  configurations  of  M.  We  can  construct  a  new  machine 
M'  which  on  input  <n,m>  maintains  a  count  on  a  new  track, 
in  j-ary,  of  the  number  of  moves  which  M  has  made.  M' 
accepts  <n,m>  in  space  n2m  iff  M  does  so.  By  lemma  2.8, 
we  need  only  consider  simplified  traces  of  M'. 

A  PDL  structure  represents  an  n2m  space  bounded 
simplified  trace  as  follows;  A  configuration  is  represented 
as  a  chain  of  m2m  states,  linked  by  basic  program  A. 

Each  state  holds  fn/ml  tape  cells.  The  ith  state  in  a 
chain  satisfies  basic  formula  or  H ^ ,  respectively,  if 
tape  cell  i  Tn/ml +j  contains  a  or  the  head  is  reading  cell 
ifn/ml+j,  respectively  for  o  e  J",  j  =  0,  fr/ml-1, 

i  ■  0,  ...»  m2m-l.  Formula  Q^,  for  q  c  Q,  holds  at 
the  first  state  of  the  chain  if  the  associated  configura¬ 
tion  is  in  state  q.  The  "next  move"  relation  between 
configurations  is  represented  by  basic  program  N,  which 
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operates  at  the  first  state  of  a  chain. 

Before  defining  f{<n,m>),  we  define  some  abbreviations. 
Let  y^  .  ..,  y^,  k  =  riog(m2ni)l  ,  be  distinct  Boolean 
variables.  y^,  ...,  y^  represent  an  integer  y  in  the  range 
10,  m2m-l). 

1.  The  following  programs  can  be  simulated  by  length 
0(m)  programs: 

a)  y  =  0? 

b)  y  *■  y-1  mod  m2m. 

2.  can  be  simulated  by  a  program  of  length 
O  (m  +  i  (a )  )  . 

3.  y  «-  random  *  (y^uy^);  .  (yk+uyk+). 

Bounded  quantification  is  simulated  by 

V y  =  (y  random], 

3  y  -  <y  --  random>. 

Formulas  gl-g7  force  a  structure  to  represent  a 
simplified  trace. 

gl.  Every  tape  cell  is  present. 

[A* ] <A>true 

g2.  There  is  exactly  one  state. 

V  (Q_  A  A 
qcQ  q  qyq  q 

g3.  There  is  exactly  one  character  per  cell,  and  it 


is  well  defined 
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fn/ml  -1  fn/ml  -1 

(A*]  A  V  (p0  a  A  ~p_ -)  a  vy  A  A 

j  =  0  ocr  o'/o  j=0  ocr 


(  [ Ay ] P 0  V  lAy]^Po) . 


y4.  There  is  exactly  one  head  position,  and  it  is 
well  defined. 

In/ml  -1  fn/ml  -1 

<A*>  \/  (H  a  A  )  A  !A*]  (  W  H  .  3  [A;  A*  ] 

j=0  3  i/3  1  j=0  3 

fn/ml  -1  fn/ml  -1 

A  .  )  a  V  y  A  (  [Ay]H  ■  V  lAy]xH  .  )  . 
j=0  3  j  =  0  3  3 


g5.  The  universal  states  behave  correctly.  Let 

.  ,  if  j  <  /n/ml  -1 , 


MOVER  = 


3+1 


y  /  m2m-l  a <Ay+  >Hq  if  j  *  fn/ml -1, 


H 


MOVEL  = 


j-1 


if  j  /  0, 


y  +  if  j  .  0. 


fn/ml -1  vi 

Vy  A  A  A  (Qn^Ay>(P>H.)  ^ 

j=0  aer  qcU  q  03 


(  ,  <N>  (MOVER  a  Q  ,  A  <Ay >P3  - ) 

q  #0  q  0 

(q#a,q',o'#R)e  5 
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f(<n,m>)  =  h  a  [N*](giA...  a  g?). 

f{<n,m>)  satisfies  conditions  (ii)  and  (iii)  by  inspec¬ 
tion.  Given  a  simplified  trace  of  M  on  input  <n,m>  using 
space  n2m  it  should  be  clear  how  to  construct  a  model  which 
satisfies  f(<n,m>).  Conversely,  given  A,uq  ¥  f(<n,m>)  we 
can  find  a  simplified  trace  for  M  on  x.  The  g  formulas 
are  sufficient  to  ensure  that  there  is  a  configuration 
associated  with  each  state  accessible  from  uQ  by  N*.  The 
g  conditions  also  ensure  that,  at  least  for  some  subset 
UQ  of  the  states  U  of  A,  the  set  of  configurations  asso¬ 
ciated  with  members  of  UQ  form  a  simplified  trace  of  M 
which  accepts  <n,m>.  Details  of  the  proof  are  omitted.  1 

A  compression  theorem 

Theorem  2.12  is  the  compression  theorem  which  we 
require  to  finish  the  lower  bound  proof. 

Definition.  (x^,  ...»  xn)  <  (y1#  ....  yn)  iff 
X1  1  *1  A  —  A  xn  -  yn- 

Lemma  2.  11.  Let  S  <k  fNn,  and  suppose  that  no  two 
elements  of  S  are  comparable  by  Then  S  is  finite. 

Proof.  We  prove  a  stronger  form. 

Claim.  Let  O^kjcn,  and  let  S  £  Wn  be  such  that  no 
two  elements  are  comparable,  but  all  elements  are  compar- 
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able  in  their  first  k  positions  (i.e.,  if  (u.  ,  . ..,  u  , 

.  ..,  u  )  and  (uT,  .  ..,  u^  ,  ...»  u')  are  both  in  S,  then 
n  l  k  n 

either  (v^,  .  ..,  uk)  £  (u',  .  ..,  u')  or  (u',  u^) 


1  (ul' 


..  uk)) 


Then  S  is  finite. 


Proof  of  claim.  By  induction  on  n-k. 

Let  x  =  (x. ,  ...»  x,  ,  ...,  x  )  e  S  be  chosen  with  minimal 
x  k  n 

(x^ ,  .  ..,  x^) ,  Such  an  element  exists  by  the  total  order 

assumption  on  the  first  k  positions.  For  every  u  = 

(u, ,  ...»  u  )  e  S  not  equal  to  x,  there  must  be  an  i,k<i<n, 
in  — 

for  which  u^<x^,  for  otherwise  u  and  x  would  be  comparable. 
We  count  the  members  of  S  with  u^=  v  separately  for  each 
v<xi.  We  may  assume  without  loss  of  generality  that 
i  =  k+1,  otherwise  reordering  the  components.  Let 


S„  =  { (u. ,  — ,  u  )  £  S:  u.  =  v}. 
v  l  n  i 

The  first  k+1  positions  of  Sv  are  totally  ordered,  and 

no  two  elements  of  S  are  comparable.  Hence  S  is  finite 

v  n  x.  v 

by  induction.  Finally,  |s|  <  E  E  | S  I ,  which  is 

"  i=k+l  v=l  v 

finite.  I 

Theorem  2.12.  (Fischer)  Let  t  (nA  ,  . . . ,  n^)  _>  n^  +  . . . 
+  be  a  recursive,  honest  function  (computable  in  time 
polynomial  in  t) .  There  exists  a  set  X  such  that  for 
every  deterministic  Turing  machine  M  accepting  X,  M  runs 
for  time  at  least  t(nr  r^)  on  input  <n1,...,  nk>  for  all 
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but  finitely  many  values  of  n^  . ..,  n^.  Moreover,  there 
is  a  deterministic  machine  Mq  which  accepts  X,  and  which 
takes  at  most  cn^.-n^U^  +  ...  +  n^Jtfn^,  ...,  nk)c  time 
on  input  <n^,  ...»  n^>  for  some  constants  c  and  c". 


Proof.  For  clarity  we  prove  theorem  2.12  for  functions 
of  two  variables.  The  extension  to  k  variables  is 
straightforward.  We  use  a  priority  argument.  Let  the 
deterministic  machines  be  ordered  in  the  usual  manner,  and 
let  L(e)  be  the  set  accepted  by  the  e^^  machine.  We  define 
X  by  describing  machine  Mq  which  accepts  X.  On  an  input 
which  is  not  an  ordered  pair,  Mq  halts  and  does  not  accept. 
On  input  <n,m>,  Mq  runs  stage  (i,j)  for  all  (i,j)  <_  (n,m) 
in  an  order  consistent  with  the  partial  order  <_,  starting 
with  (0,0).  Each  stage  produces  a  value  and  a  cancellation 
list.  <n,m>  is  accepted  if  stage  (n,m)  returns  value  1. 

Stage  (n,m) .  Let  C  =  U  C(i,j),  where 

(i»  j) 

(i,j)  <  (n,m) 

C(i,j)  is  the  cancellation  list  of  stage  (i,j).  Let  t  * 
t(n,m).  Run  each  of  the  first  n+m  machines  for  at  most 
t  steps  on  input  <n,m>.  Let  e  be  the  first  machine  to  halt. 
(If  no  such  e  exists,  Bet  C(n,m)  *  C  and  return  0).  Let 
C(n,m)  *  C  u  {e},  and  return  1  if  and  only  if  e  does  not 
accept  <n,m>. 
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Suppose  L(e)  =  X,  Then  e  is  never  cancelled. 

Every  e'  <  e  is  cancelled  during  stage  (i,j)  for  only 
finitely  many  values  of  i  and  j.  To  see  this,  let 

S  .  =  {(i,j):  e'  is  cancelled  during  stage  (i,j)}. 

Clearly,  if  (i,j)  e  S^,  then  (n,m)  i  Se-  for  any  (n,m) 

>  (i,j),  for  e'  will  be  in  the  set  C  computed  at  stage 
(n,m) .  Hence,  the  elements  of  Se^  are  pairwise  incompara¬ 
ble,  and  Se^  is  finite  by  lemma  2.11,  Let 

q  =  max({n+m:  (n,m)  e  U  S  ,}v{e}). 

e'<e  e 

For  every  (n,m)  with  n+m>q,  it  must  be  the  case  that  machine 
e  runs  for  more  than  t(n,m)  steps  on  input  <n,m>,  otherwise 
e  would  have  been  cancelled  at  stage  (n,m).  Hence  e  runs 
for  more  than  t(n,m)  steps  for  all  but  the  finitely  many 
values  of  <n,m>  for  which  n+m  <  q. 

Machine  Mq  computing  X  runs  in  time  at  most  n«m* (time 
per  stage)  on  input  <n,m>.  There  are  at  most  n+m  machines 

to  simulate  at  each  stage,  and  each  can  be  simulated  in 

•  c  * 

time  0(t  log  t) .  The  time  to  compute  t  is  0(t  )  by  the 

honesty  of  t.  Putting  this  together  gives  the  time  bound 

for  Mc.  | 

We  require  an  extension  of  the  result  of  Chandra 
and  Stockmeyer  (CS76J  and  Kozen  (Ko76)  relating  alternating 
space  to  deterministic  time.  Their  theorem  states  that 
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ASPACE  (s (n)  )  =  U  DTIME(cstn))  for  any  suitably  honest  s. 
c>0 

The  proof  relies  on  a  simulation  of  each  type  of  machine  by 
the  other,  and  is  easily  extended  to  several  variables. 


Theorem  2.13.  Let  s(n^,  n^)  be  cons true table.  Given  any 

alternating  Turing  machine  M  which  runs  in  space  s{n^,  r^)  on 

input  <n. ,  . . . ,  n  > ,  there  is  a  deterministic  Turing  machine  M 

•L  A 

accepting  L(M)  which  runs  in  time  cs^nl'  ""  for  sane  constant  c 
Conversely,  given  deterministic  irachine  M  running  in  time 

cs(nl . V  on  input  <n^ ,  . . , ,  n^> ,  there  is  an  alternating 

Turing  machine  M  accepting  L(M'j  which  runs  in  space  s^,  ...»  n^) 
on  input  cn^,  ...,  n^>. 


We  are  ready  to  prove  the  lower  bound  for  B-PDL. 


Theorem  2.14. (Fischer) .  Let  M  be  any  machine  accepting  SAT 
(B-PDL) .  Then  there  are  constants  d  and  d'  such  that  for  all  but 
finitely  many  values  of  n  and  m  there  is  a  formula  Fn  m  of  length 
at  most  (n-Hn)  containing  at  most  m  distinct  Boolean  variables,  on 

which  M  runs  for  more  than  2™  steps. 

__2m  . 

an  Q 

Proof.  Let  t(n,m)  *  2  and  t2(n,m)  «  cnm(n+m)t(n,m)  , 

where  c  and  c'  are  the  constants  of  theorem  2.12.  Ihere  is  a  constant 

b  such  that  t2(n,m)  <  2^2  .  Let  X  be  the  set  of  theorem  2.12. 

By  theorem  2.13,  there  is  an  alternating  machine  A  accepting  X  which 

runs  in  space  n2rri  on  input  <n,m>.  Lenina  2.10  asserts  the  existence  of 

a  formula  G„  _  of  length  at  most  c, (n+m)  with  at  most 
n,m  i 
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c_m  Boolean  variables  such  that  G  is  satisfiable  iff  <n,m'-  c  X. 

/  n,m 

Ir 

Moreover,  G  can  be  found  in  tine  (n+m)  .  Hence,  the  following  is  a 
procedure  for  accepting  X. 


1.  Given  <n,m>,  construct  G 

n,m 

2.  Test  if  G  is  satisfiable  by  running  M.  If 

n  ,m 

so,  accept  <n,m>,  else  reject  <n,m>. 


Let  T(n,m)  be  the  time  M  spends  to  decide  G  .  Then 

n  f  m 

the  above  procedure  accepts  X  in  time  (n+m)  +  T(n,m). 

By  choice  of  X,  (n+m)  +  T(n,m)  t(n,m)  for  all  but 

finitely  many  values  of  n  and  m.  Hence  there  is  a  constant 

en2m 

e  such  that  T(n,m)  >  2  .  Let  c  =  maxfc^c^  ,  and 

let  F  *  G  .  F  has  length  at  most  n+m  and 

n,m  jnj^rnj  n^m 

contains  at  most  m  Boolean  variables.  M  decides  F^  m  in 


>  2 


dn2 


d'm 


for  some  d  and  d  ' , 


for  all  sufficiently  large  n  and  m. 


2.6.  Multiple  variable  complexity  bounds 

In  proving  a  lower  bound  for  B-PDL  which  has  nearly 
the  same  form  as  our  upper  bound,  both  being  functions  of 
n  and  m,  we  have  demonstrated  both  the  desirability  and 
feasibility  of  proving  bounds  which  are  functions  of  more 
than  just  the  length  of  the  input.  For  most  problems, 
some  inputs  are  easier  than  others.  For  some,  such  as 
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SAT (B-PDL) ,  there  are  natural  parameters  of  the  input  which 
appear  in  tight  complexity  bounds.  Another  example  of 
such  a  problem  is  the  not-everything  problem  for 
extended  regular  expressions  [ St 7 5 ] ,  which  is  decidable  in 


.2 


cn- 


m+1 


time  2‘ 


for  expressions  of  length  n  with  m 


.  2Cln 


complement  symbols,  as  opposed  to  2  )  when  m 

is  left  unspecified. 

In  our  compression  theorem  we  consider  only  inputs 
which  are  ordered  pairs,  showing  that,  even  when  inputs 
are  restricted  to  ordered  pairs,  there  are  arbitrarily  hard 
problems.  For  proving  lower  bounds,  that  is  enough,  and 
it  results  in  a  fairly  clean  proof.  In  general,  though, 
a  complexity  bound  is  a  function  t(x)  of  the  input,  which 
might  have  the  form  t(n(x))  or  t (n (x) ,m (x) ) ,  where  n  and 
m  are  simple  functions  of  the  input,  such  as  its  length. 
There  is  a  need  for  a  theory  of  more  general  complexity 
bounds  that  the  traditional  ones  which  depend  only  on  the 
length  of  the  input. 


2.7.  Conclusion 

By  showing  that  B-PDL  is  decidable,  we  have  shown  that 
PDL  with  any  or  all  of  the  following  extensions  is 
decidable,  provided  basic  programs  represent  indivisible 
actions:  concurrency,  assignment  and  quantification  over 
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bounded  integers,  gotos,  labeled  programs  with  formulas 
having  access  to  labels,  global  invariance,  "preserves," 
while  and  until  (unnested) .  By  the  fact  that  B-PDL  is 
no  more  expressive  than  PDL,  we  find  that  all  of  the  above 
concepts  can  be  simulated  in  PDL.  We  can  view  that  fact 
two  ways.  One  way  is  to  view  PDL  as  a  surprisingly  rich 
language.  Another  view  is  that  any  language  which  hopes  to 
be  more  powerful  than  PDL  must  be  able  to  express  more  than 
the  above,  or  to  deal  with  basic  programs  which  are  not 
indivisible. 

One  way  to  handle  concurrency  is  by  the  brute  force 
method  of  trying  all  possible  interleavings.  Owicki  [OG76] 
presents  a  proof  system  for  proving  partial  correctness 
which  permits  reasoning  without  considering  all  possible 
interleavings.  The  B-PDL  simulation  of  concurrency  also 
permits  a  more  efficient  way  of  handling  concurrency  than  considering 
all  possible  interleavings.  Improved  efficiency  results  due  to  the 
exponential  gap  between  our  decision  method  for  B-PDL  and  the  naive 
method  of  translating  fran  B-PDL  into  PDL,  and  then  deciding  the 
resulting  PDL  formula. 

It  would  seem  a  reasonable  criterion  of  any  logic  of 
concurrent  programs  that  it  be  capable  of  dealing  with 
concurrency  with  more  finesse  than  can  be  achieved  by 
reducing  concurrent  programs  to  while  (or  PDL)  programs. 
For  otherwise  we  might  as  well  just  use  PDL  to  begin  with. 
This  observation  applies  equally  well  to  decision 


_  -  if**!*  rUe 
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procedures  and  proof  systems.  Any  axiom  system  for 
PDlyy  which  ultimately  relies  on  reducing  away  concurrency 
by  expressing  it  in  terms  of  o,  ;  and  *  (such  systems  have 
been  shown  to  us  more  than  once)  is  misguided. 

It  is  an  open  problem  to  find  a  complete  proof  system 
for  B-PDL.  By  the  remarks  above,  an  acceptable  system 
would  not  rely  on  a  costly  elimination  of  Boolean  variables. 
We  have  remarked  that  the  axioms  of  condition  Bl  cannot  form 
a  complete  axiomatization  of  B-PDL,  when  added  to  a  system 
for  PDL.  Any  system  for  B-PDL  must  somehow  express  the 
independence  of  xt  and  other  basic  programs. 


Chapter  3 


In  this  chapter  we  describe  a  logic  GPL  in  which 
variables  and  quantifiers  are  used  to  express  properties 
of  a  given  process  tt  .  By  excluding  programs  from  the 
syntax  of  GPL,  we  greatly  simplify  our  analysis.  Valid 
sentences  of  GPL  are  those  which  every  process  must  obey, 
rather  than  those  which  some  particular,  potentially 
very  complicated  program  must  obey.  It  is  possible  to 
add  programs  to  GPL,  by  adding  new  predicates. 

GPL  with  programs  is  very  similar  to  a  version  of  Parikh's 
Second  Order  Process  Logic  (SOPL) ,  in  which  first  order 
quantifiers  range  over  occurrences  of  states  rather  than 
over  states.  In  contrast  to  standard  SOPL,  which  is 
undecidable  by  Parikh  [Pa78] »  we  do  not  know  whether  GPL 
is  decidable.  However,  we  give  two  restrictions  of  GPL, 
each  of  which  is  decidable.  The  first  is  a  semantic 
restriction,  in  which  processes  are  required  to  be  closed, 
in  the  sense  that  any  path  which  can  be  followed  arbitra¬ 
rily  long  can  also  be  followed  infinitely  long.  In 
other  words,  processes  must  exhibit  bounded  nondeterminism. 
The  second  restriction  of  GPL  is  syntactic,  and  is  shown  in 
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Chapter  4  to  be  very  nearly  expressively  equivalent  to  the 
modal  logic  MPL .  The  theories  of  GPL  and  both  of  its 
restrictions  are  nonelementary . 

3.1.  Introduction 

Many  statements  which  we  wish  to  make  about  processes 

concern  the  order  of  events  on  paths.  A  simple  example 

is  global  invariance:  at  every  time  instant  t,  P(t)  holds. 

For  another  example,  suppose  that  P(t)  represents  a  message 

sent  at  time  t,  and  Q(t)  is  an  acknowledgement.  We  may 

require  that  1)  for  every  time  instant  t,  if  P(t)  holds, 

then  there  is  a  later  time  t'  when  Q(t')  holds,  and  2) 

for  every  time  instant  t  for  which  0(t)  holds,  there  is  a 

previous  time  t'  when  P(t')  holds.  The  predicate  calculus 

of  an  order  immediately  volunteers  itself  as  a  process 

•» 

logic.  The  parts  of  such  a  process  logic  are  as  follows: 

1.  Variables  are  called  stage  variables.  A  stage, 
or  a  time,  is  a  finite  path,  which  gives  the  history  of 

a  computation.  Because  it  is  impossible  for  a  computation 
to  proceed  beyond  a  block,  stage  variables  must  range  only 
over  legal  sequences. 

2.  s  <  t,  where  s  and  t  are  stage  variables,  is  a 
formula.  In  terms  of  paths,  <_  is  simply  the  prefix 
relation. 

3.  P(t),  where  Pe$Q  is  a  basic  predicate. 
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is  a  formula.  The  truth  value  of  P(t)  depends  only  on 
the  final  state  of  t. 

We  generally  want  to  make  statements  about  the  paths 
in  some  set  tt  .  For  example,  to  state  that  P(t)  is  globally 
invariant  over  tt,  we  would  say  that,  for  every  path  h  in 
Tt ,  and  every  stage  t  on  h,  P(t)  holds.  GPL  must  have  some 
means  of  quantifying  h,  and  selecting  t  on  h.  There  are 
two  obvious  methods  which  we  could  use. 

1.  h  can  be  specified  implicitly  by  the  semantics, 
either  by  letting  h  be  a  part  of  the  environment,  or  by 
implicitly  universally  quantifying  h  before  every  formula. 
These  approaches  are  taken  in  [Pn77 ,Pn79 ,GPSS80] . 

2.  We  can  introduce  variables  which  range  over 
paths,  and  write  "t  on  h"  explicity  as  t  <  h. 

Below  we  show  that  the  first  approach  is  inadequate; 
hence  we  choose  the  second.  Path  variables  and  stage 
variables  both  range  over  paths,  so  we  could  get  by  with 
a  single  type  of  variable,  along  with  some  additional 
predicates  such  as  legal  (x) .  Harel  et  al.  [HKP80]  seem 
convinced  that  a  single  type  of  variable  is  better  than 
two,  and  define  a  logic  based  on  a  single  type  of  variable. 
However,  path  variables  and  stage  variables  really  have 
different  purposes.  Natural  restrictions  are  easily 
expressed  in  terms  of  the  two  different  types  of  variable. 
Therefore  we  choose  to  define  path  variables  separately 
from  stage  variables. 
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1.  Path  variables  range  over  paths  in  n.  In  order 
to  allow  for  the  possibility  of  diverging  or  blocking, 
we  must  allow  path  variables  to  range  over  infinite  and 
illegal  paths  as  well  as  terminating  paths. 

2.  t  <  h  is  a  formula,  for  t  a  stage  variable  and  h 
a  path  variable.  (t  <  s  is  still  allowed). 

Informal  specification  of  the  logic  GPL  is  almost  complete. 

(A  complete  formal  specification  is  given  in  section  3.2.)  There 
is  still  one  serious  hole  which  needs  filling.  In  the  language  giver, 
so  far,  while  it  is  possible  to  state  that  path  h  can  make  no  more- 
progress  at  stage  t,  as  (t  <  h*Vs(s<h  =>  s<t) ) ,  it  is  impossible 
to  distinguish  a  path  which  is  blocked  at  stage  t  from  one  which 
is  terminated  at  stage  t.  We  introduce  the  formula  H(t,h)  which 
means  path  h  is  terminated  (or  halted)  at  stage  t.  In  terms  of 
paths,  H  is  just  the  equality  predicate.  We  prefer  H  to  =  for  the 
reasons  that  the  parameters  are  of  different  types,  and  that  H(t,h) 
corresponds  to  the  atonic  formula  H  of  MPL. 

Why  path  variables? 

The  subset  TL  of  GPL  without  path  variables  or  blocked 
paths  has  been  studied  as  a  viable  process  logic  by 
Pnueli  and  Gabbay,  et  al.  [Pn77 ,GPSS80]  who  show  it  capable 
of  expressing  a  number  of  significant  properties  of 
processes.  However,  there  are  some  important  properties 
of  processes  which  appear  to  be  expressible  only  by  using 
path  variables.  Some,  such  as  the  absence  of  deadlock, 
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depend  on  the  existence  of  blocked  paths,  which  most  other 
authors  have  not  considered  (see  Pratt  [Pr78]  for  an 
exception).  Others  are  more  basic. 

1.  The  fundamental  property  of  global  invariance, 

GI  (p)  =  (  V  heir )  (  V  t£h)  p  (t) 

depends  at  least  on  a  single  universally  quantified  path 
variable.  The  approach  of  letting  the  path  be  part  of  a 
model  is  not  suitable  to  describing  processes  which  are 
sets  of  paths.  The  alternative  approach  of  implicitly 
prefixing  every  formula  by  (V  hev) ,  and  permitting  no 
further  quantification  of  path  variables,  results  in  a 
logic  which  is  not  closed  under  semantic  negation,  for 
the  negation  of  GI(p)  begins  (3  heir)  ...  In  such  a  system  it  is  pos¬ 
sible  for  both  p  and  'vp  to  fail  to  hold  in  a  given  model.  It  is  out 
of  the  question  to  attempt  to  disprove  a  property  when  we  can't  even 
state  its  negation.  Furthermore,  an  algorithm  for  deciding  satisfia¬ 
bility  of  a  system  which  is  not  closed  under  semantic  negation  does 
not  imnediately  extend  to  deciding  validity  the  way  it  does  for  logics 
which  are  closed  under  negation. 

2.  There  are  really  two  different  notions  of  the 
"future"  at  a  given  stage  t.  One  is  the  linear,  determined 
future  on  a  given  path,  or  the  future  as  it  will  happen. 

The  other  is  the  branching,  undetermined  future  of  all 
paths  of  which  t  is  a  prefix,  or  the  future  as  it  might 
happen.  Lamport  IL80]  shows  that  neither  notion 
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of  future  is  definable  in  terms  of  the  other.  Lamport  ar¬ 
gues  that  the  linear  notion  of  future  is  more  appropriate 
for  reasoning  about  concurrent  processes,  while  the  branch¬ 
ing  notion  is  more  appropriate  for  reasoning  about  sequen¬ 
tial  processes  (e.g.,  PDL  uses  branching  futures). 

(We  find  neither  completely  adequate.)  Since  our  system 
is  to  treat  sequential  and  concurrent  processes  uniformly, 
we  require  both  notions  of  future.  "Throughout  the  future 
from  time  t"  is  expressed  as  V  s  (t<s<h  . . )  in  the  linear  case, 
and  ( Vh>t)  Vs  (t<s<h  =>. . .  )  in  the  branching  case. 

3.  We  mentioned  in  Chapter  1  that  we  would  give  the 
writer  of  formulas  the  power  to  be  his  own  oracle,  making 
choices  when  he  sees  fit.  Path  quantifiers  are  the 
mechanism  for  making  new  choices.  The  absence  of  deadlock 
statement,  assuming  (or  simulating)  an  oracle  which  does 
its  best  to  resolve  blocks  without  backtracking,  can  be 
expressed  in  GPL  by  the  following  formula,  with  nested, 
alternating  path  quantifiers. 

(Vh  )  (  vt<h)  (H(t,h)  v  (3h'>t)(3t')(t<t'<h')). 

Relation  of  GPL  to  SOPL 

Except  for  the  absence  of  programs,  GPL  is  very  similar 
to  Parikh’s  Second  Order  Process  Logic  (SOPL)  (Pa78). 

Both  have  two  kinds  of  variables,  and  a  means  of  ordering 
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occurrences  of  states  on  a  path.  The  major  difference  is 
that  in  SOPL  first  order  variables  range  over  states, 
while  their  analogs  in  GPL  range  over  stages.  As  a 
consequence  of  that  difference,  while  in  SOPL  it  is  possible 
to  express  that  some  state  occurs  twice  on  a  given  path, 
the  same  is  not  true  for  GPL.  Thus,  regardless  of  programs, 
GPL  cannot  simulate  SOPL.  However,  we  know  of  no  really 
useful  statement  which  can  be  made  in  SOPL,  but  not  in 
GPL  (ignoring  programs) ,  and,  since  Parikh  has  shown  that 
SOPL  is  undecidable,  we  may  not  want  the  full  power  of 
SOPL.  We  do  not  know  whether  GPL  is  decidable. 

When  Parikh  defines  the  restriction  SOAPL  of  SOPL, 
he  changes  the  meaning  of  first  order  quantifiers,  letting 
them  range  over  stages  rather  than  states.  But  he  restricts 
the  use  of  path  quantifiers  to  such  an  extent  that  they 
can  no  longer  be  used  as  we  have  used  them  in  our  absence 
of  deadlock  statement.  In  SOAPL,  every  time  a  path  is 
quantified,  it  is  restarted,  and  bound  to  a  new  process. 

In  Chapter  5  we  show  that,  when  programs  are  added  to 
GPL,  GPL  is  strictl .  more  expressive  than  SOAPL. 

The  logics  of  Pratt  [Pr78]  ,  Pnueli  [Pn79]  and 
Nishimura  [N79]  all  restrict  the  use  of  path  quantifiers 
the  way  SOAPL  does,  so  they  can't  be  used  as  they  are  in 
our  absence  of  deadlock  statement.  Our  less  restrictive 
use  of  path  quantifiers  is  a  major  difference  between 
GPL  (and  MPL)  and  most  process  logics  proposed  to  date. 


3.2.  Formal  definition  of  GPL 


The  syntax  and  semantics  of  GPL  are  given  below. 

The  truth  value  of  a  GPL  formula  is  determined  by  an 
environment  E  =  (A,f),  consisting  of  a  structure 
A  =  (U,tt  ,  ,(J>o )  ,  which  supplies  a  process  u  over  the 

set  U  of  states  and  interprets  the  basic  predicates,  and 
a  binding  f  of  variables  to  values,  with  f(h)  c  n  for  h 
a  path  variable,  and  f(t)  c  pre(iT)  for  t  a  stage  variable. 
pre(-n)  is  the  set  of  all  finite  legal  prefixes  of  members 
of  it.  Let  P  e  4>o  be  a  basic  predicate,  p  and  q  be  GPL 
formulas,  s  and  t  be  stage  variables,  and  h  be  a  path 
variable . 

1.  P(t)  e  GPL;  E  ►  P(t)  iff  end  ( f  (t )  )  e  4>q(P). 

2.  H (t , h)  e  GPL;  E  fc  H(t,h)  iff  f(t)  =  f (h) . 

3.  a)  'v-p  e  GPL;  E  b  -vp  iff  not  (E  k  p)  ; 

b)  (p  v  q)  e  GPL;  E  t*  p*q  iff  E  *=  p  or  E  h  q. 

The  usual  Boolean  operators  true,  false,  a,  3,  etc. 
are  defined  in  terms  of  v  and  'v. 

4.  a)  (t^s)  e  GPL;  E  ^  t<s  iff  f  (t)  _<  f(s); 

b)  (t<h)  e  GPL;  E  h  t<h  iff  f(t)  ^  f  (h) . 

The  semantic  <_  is  the  prefix  relation. 

5.  3t  p  e  GPL;  E  Ht  p  iff  (3  tepre  (it)  )  (E^  ►  p)  . 

6.  3h  p  e  GPL;  E  b  3  h  p  iff  13*ch))(eJmp). 

E^(E^)  is  the  environment  which  assigns  f  (t)«t  (f  {h)=i|  ) , 

with  all  other  assignments  being  the  same  as  in  E.  It  is 
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well  known  that  the  relations  <,  «=  and  t=succ(t') 

(successor)  can  be  expressed  in  terms  of  _<.  For  example, 

(t  =  succ(t'))  =  t  is  the  next  stage  following  t' , 

=  t"  <  t  a  Vs(s<t'v  t<s) . 

We  are  ready  to  prove  some  technical  results  about 
GPL.  We  begin  by  defining  a  nonstandard  semantics  of 
GPL.  Nonstandard  GPL  has  the  advantage  of  being  more 
closely  related  to  some  other  logics  than  is  standard 
GPL,  though  standard  GPL  more  closely  reflects  our  in¬ 
tuition  about  the  nature  of  processes  and  predicates. 

Since  we  show  that  the  satisfiable  formulas  are  the  same 
under  either  semantics,  we  can  interchange  the  two 
freely. 

3.3.  Nonstandard  GPL 

In  most  versions  of  the  predicate  calculus,  an 
uninterpreted  predicate  P(t)  is  interpreted  freely  over 
the  same  set  as  t  ranges  over.  But  in  GPL,  basic  predi¬ 
cates  apply  to  stage  variables,  while  they  depend  for  their 
truth  value  only  on  the  final  state  of  a  stage.  Thus 
it  is  required  that  P((u,X))  =  P ( (u , <u*u> ) ) .  A  natural 
extension  to  GPL  iE  to  permit  the  truth  value  of  predi¬ 
cates  to  depend  on  the  whole  stage,  not  just  the  final 
state.  That  extension  is  nonstandard  GPL,  The  logic 
N-GPL  is  defined  exactly  as  GPL,  replacing  ►  by  |»N, 

N 

with  the  exceptions  that  in  a  nonstandard  structure  A  - 
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N 

(U,  tt  ,  4>o ,  $  )  ,  $  P(S(U))  is  a  more  general  inter¬ 

pretation  of  basic  predicates,  and  rule  (1)  for  GPL 
is  replaced  by 

1?  P(t)  c  N-GPL ;  E  K  NP  (t )  iff  f(t)  c  4-N(P). 

o 

A  natural  question  is  whether  the  satisfiable  (or 
valid)  formulas  of  GPL  and  N-GPL  are  the  same.  The 
answer  is  yes. 

Before  proving  that,  we  make  a  short  digression 
concerning  a  strengthening  of  GPL.  Rather  than  letting 
path  variables  range  over  it,  and  stage  variables  range 
over  pre(Ti),  we  could  let  path  variables  range  over  all 
paths  in  'l'(U),  and  stage  variables  range  over  all  stages 
in  S(U).  The  ranges  of  quantifiers  can  be  explicitly 
bounded  using  the  special  predicate  h  c  n, 

Though  the  stronger  version  of  GPL  is  more  expressive 
than  GPL,  it  is  not  as  well  behaved.  The  standard  and 
nonstandard  semantics  do  not  yield  the  same  satisfiable 
formulas  in  the  strong  version  of  GPL,  for  we  can  write 
a  formula  which  says  that  P  holds  for  exactly  one  stage, 
as 


Q  =  3tVs(P(t)  a  (P(s)=>s*t)}. 

Q  is  certainly  satisfiable  under  the  nonstandard  semantics, 
in  either  GPL  or  the  strong  version  of  GPL,  But  under 
the  standard  semantics,  if  P(u,o<v*w>)  holds,  then  so 
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must  P  (u ,  o<v-*w><w-«w  > )  ;  hence  Q  is  not  satisfiable  in  the 
standard  strong  version  of  GPL. 

Nevertheless,  the  satisfiable  formulas  of  GPL  are 
the  same  under  the  standard  and  nonstandard  semantics. 

The  reason  is,  intuitively,  that  by  limiting  the  range 
of  quantifiers,  structures  have  more  control  over  the 
truth  of  formulas.  Q  is  satisfiable  in  standard  GPL; 
simply  let  ir  be  the  singleton  set  {  (u,A)  }. 

Since  the  purpose  of  GPL  is  to  describe  the  set  v , 
it  is  unnatural  to  permit  variables  to  range  over  a 
set  larger  than  tt  and  its  prefixes.  Therefore  we  study 
the  better  behaved  logic  GPL. 

Theorem  3.1.  SAT (GPL)  =  SAT (N-GPL) 

Proof .  The  inclusion  SAT (GPL) £  SAT (N-GPL)  is  trivial, 

N 

for  <f>Q  can  assign  the  same  truth  value  to  all  stages  which 
end  on  the  same  state. 

Suppose  EN  =  ((UN,ttN,0  ,$N),fN)  is  a  nonstandard  envi- 

o  o 
N 

ronment,  and  E  f  p.  We  construct  a  standard  environment 
ES  =  (US,ttS,4>o,4>^)  ,fS)  for  p  as  follows,  letting  each  state 
on  a  path  remember  the  entire  history  up  to  its  position. 

US  «=  S(UN)  . 

K:HUN)  -*•  'HU5)  , 

For  finite  f, 

K ( (u, X) )  «  (u, X)  , 

K((u,<v-*v>) )  *  (u,<(u,X)  •*  (u,  <v-*w>)  >)  , 


••  -A.  i,A. 


I 
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K(iji'<u+v><w+x>|  =  K(^*<u-»v>)  •  <\^*<u-*v>  -*• 

l|)  •  <U-*’V><W->X>  >. 


For  infinite  \p ,  K4>  is  the  limit  of  Kt  for  all  t<^, 


1TS  =  { Kt^  :  ^ c  ttN  } 


an 

*o* 


=  K 


rN 


S  N 

The  states  of  £  are  the  stages  of  E  .  K  replaces 
each  state  u  in  ij;  by  the  prefix  of  1)1  up  to  u.  For 
example , 


(*)  K  (u,  <u-*v><w-*x>)  =  (u,<(u,A)  (u,<u-*-v>)  > 

<(u,<u+w>)  -*■  (u,  <U+V><W-*-X>)  >)  . 


Notice  that  the  second  transition  of  the  right  hand  side 
of  (*)  begins  with  (u,<u-»w>),  not  (u,<u-*-v>).  If  w=v,  then 
it  makes  no  difference,  and  both  sides  of  (*)  are  legal. 

On  the  other  hand,  if  w/v,  then  both  sides  are  illegal. 

It  can  be  shown  that 


Kl.  4*  is  legal  iff  is  legal. 


Other  easily  proved  facts  about  K  are 

K2.  tp  *  end  (KiM  for  all  finite  \p; 

K3.  \p  <  \p  iff  K4>  <  K4»  . 

j  —  2  1—2 

Theorem  3.1  follows  immediately  from  the  following  claim: 


Jr- 


i 


i 


i 


4 


* 
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Claim. 

Proof . 

P(t)  . 


H(t,h) 


2£jl_EH 

t<s. 


N  _  S 

For  every  p,  E  and  associated  E  , 

EN  KNp  iff  ESK  p. 

By  induction  on  the  length  of  p. 

EN*=NP(t)  <=*  fN(t)  e  (P)  » 

$=>  fN(t)  e  (P) » 

<=>  end  (KfN(t))  e  <P)  by  *2, 

<=$  end  (fS(t))  e  *®(P> , 

<=>  ES  ►  P  (t)  . 

,  EN  *NH(t,h)  <=*  fN(t)  =  fN(h), 

KfN(t)  *  KfN(h)  by  K3, 

both  directions, 

<=>  fS(t)  =  fS(h) , 

<=S>  ES  ►  H(t,h)  . 

Trivial. 

EN  HN  t <s  <=>  fN(t)  f.  fN(s), 

C=>KfN(t)  <  KfN(s)  by  K3, 

<=>  fS(t)  <  fS(s) , 

C=>  ES  ►  t<s. 


t<h.  Similar  to  t<B. 
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3  tp.  EN  3tp  iff  (  3t  e  pre  (ttN )  )  (  (eN)  £  ^ Np )  . 

.  N  T 

But  the  standard  environment  associated  with  (E  )  is 

(ES)£i,  go  induction 

(**)  EN  l=N  3tp  (3i  e  pre(TiN))  ((ES)£T  P  p)  . 


If  t  is  a  finite  legal  prefix  of  some  member  of 
then  by  Kl  and  K3,  t "  *  Kt  is  a  finite  legal  prefix  of  some 

S 

member  of  v  .  Hence 

EN  tN3tP  =5  Ot'  e  pre  (irS)  )  ((ES)J%  p) 

=3  ES  *  3 tp, 

S  N 

Conversely,  every  T'epreU  )  is  Kt  for  some  t  in  pre  ( tt  )  , 

so, 

ES  ►  3tp  =*  (  3t'  e  pre(nS))  ((ES)jVp), 

=>  (3t  e  preOrN))  <(ES)*T^p), 

=3  EN  3tp  by  (**)  . 


3hp.  Similar  to  3tp,  using  ti  in  place  of  pre(n). 


3.4.  A  lower  bound  for  GPL 


I 


We  show  that  L(N  ,<^  P),  the  theory  of  the  natural 
numbers  under  the  usual  order  <  with  a  monadic  uninter- 


-!  i..{  *><*&<,■**;*»  %r 


'■V  -  y* 
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preted  predicate  P,  is  embedded  in  N-GPL,  L(  (N,<^P) 
is  nonelementary  by  Meyer  IM74). 

Syntactically,  L  ( IKI  ,<,P)  is  a  subset  of  GPL,  with 
integer  variables  corresponding  to  stage  variables.  Stages 
can  be  made  to  correspond  to  integers,  with  prefix  corres¬ 
ponding  to  _<  on  IN ,  by  quantifying  stage  variables  relative 
to  a  particular  infinite  path  h.  The  existence  of  such  a 
path  in  a  GPL  model  is  ensured  by  ( 3  h)  (  V  t<h)  (  3  s<h) (t<s) . 
In  nonstandard  semantics,  any  interpretation  of  P  by  an 
L  (  ftJ  ,_<,P) -model  can  be  duplicated  by  a  GPL  model. 

Further  details  of  the  embedding  are  left  to  the  reader. 

Theorem  3.2.  The  validity  (equivalently  the 
satisfiability)  problems  for  GPL  is  not  elementary  recur¬ 
sive.  | 


3.5.  Closed  GPL 

Though  we  do  not  know  whether  GPL  is  decidable,  we 
can  show  that  GPL  over  a  particular  class  of  processes,  the 
closed  processes,  is  decidable.  Moreover,  there  are  some 
properties  which  can  be  expressed  in  GPL  for  closed 
processes,  but  which  may  not  be  expressible  in  GPL  for 
arbitrary  processes.  Hence,  for  some  applications,  closed 
GPL  may  be  more  suitable  than  GPL, 

Definition.  A  process  w  is  closed  if  for  every 
ascending  prefix  chain  t^<T2<  .  ..*  each  of  whose  members 


is  in  pre(TT),  the  limit  of  the  sequence  T1»'r2'  ***  is  in  71  • 

Example  1.  If  it  is  the  set  of  paths  in  a  finite 
branching,  but  possibly  infinite  depth,  tree,  then  by 
Konig’s  lemma  it  is  closed. 

Example  2.  tt  =  {  (0,  <0-*-0>1<0-*'1><1-*-1>uj)  :  i ^0 }  is  not 
closed,  for  (0,<0-*-0>1)  is  in  pre(ir)  for  all  i,  but 
(0,<0-+0>w)  is  not  in  it. 

In  Chapter  1  we  described  an  interpreter  which 
evaluates  processes.  Whenever  the  interpreter  encounters 
a  block  on  one  path,  it  tries  another  path.  Suppose  we 
run  the  interpreter  on  the  non-closed  process  tt  = 

{  (0 ,  <0-*-0>1)  :  i>0}.  The  interpreter  would  constantly 

choose  longer  and  longer  paths;  in  fact,  it  would  behave 
as  if  it  were  following  the  fictitious  path  (0 ,  <0-*-0>w)  . 

Of  course,  that  path  is  in  the  closure  of  tt.  Allowing 
the  interpreter  to  change  paths  at  will  in  effect  closes 
the  process  being  evaluated.  Thus,  in  closed  processes, 
our  notion  of  an  interpreter  makes  sense.  In  non-closed 
processes  we  must  be  very  careful. 

The  usual  sequential  program  constructs  if-then-else ,  while-do, 
and  sequencing  preserve  closed  processes.  However,  as  mentioned 
cn  page  9  ,  a  fair  concurrency  operator  does  not  preserve  closed 
processes.  Closed  GPL,  or  C-GPL,  can  be  thought  of  as  the  theory  of 
sequential  processes. 

Sequential  processes  are  often  deterministic.  If  those  pro¬ 
cesses  are  also  assured  to  be  closed,  then  C-GPL  can  be  made  into 


a  logic  of  deterministic  sequential  processes,  for  "n  is 
deterministic"  can  be  expressed  in  GPL  as  , t2 , t^  c 

pre(n)  )  (t2=succ(t1)  a  t^succU^  =>  t2=t3)  . 

There  are  satisfiable  GPL  formulas  which  are  not 
satisfied  by  any  environment  whose  process  is  closed.  An 
example  is  a  formula  which  expresses 

1)  it  contains  no  infinite  paths,  and 

2)  for  every  stage  in  pre(Tr),  there  is  a  longer 
stage  in  pre  (u ) . 

Clearly,  no  closed  process  can  satisfy  both  (1)  and 
(2).  But  the  process  {  <0 , <0-*-0>1)  :  i>^0}  does  satisfy 

both  of  them.  (1)  and  (2)  are  written  in  GPL  as 

1)  (Vh)(3t<h)(Vs<h)(s<t), 

2)  (Vt)  (3  s)  ( t <s )  . 

We  have  just  proved 

Theorem  3.3.  SAT(C-GPL)  /  SAT (GPL).  I 

This  is  in  contrast  to  SOAPL,  where  any  satisfiable  formula 
is  satisfied  by  a  closed  model. 

C-GPL  may  in  a  sense  be  more  expressive  than  GPL. 
Suppose  we  wish  to  write  "n  must  terminate,"  in  the  sense 
that  v  can't  run  forever,  and  u  can't  block,  assuming  an 
interpreter  which  tries  all  alternatives  whenever  a  block 
is  encountered,  In  C-GPL,  "tt  must  terminate"  is  expressed 
by  the  GPL  equivalent  of  the  following  two  sentences: 
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1.  tt  contains  no  infinite  paths, 

2.  If  path  he  tt  blocks  at  stage  t,  then  there  is  a 
path  h'e-rr,  with  t  as  a  prefix,  which  does  not  block  at 
stage  t. 

In  C-GPL,  sentence  (2)  is  (  V  h)  (  V  t<h)  (H  (t ,  h)  v 
( 3  h'>t)  (  3t'<h') (t<t') ) .  Sentences  (1)  and  (2)  can  of 
course  be  written  in  GPL,  but  they  no  longer  have  the 
desired  meaning.  For  the  process  tt  =  {  (0  ,  <0->0>1<l-*-l>) :i_>0 } 
satisfies  both  (1)  and  (2)  ,  although  tt  contains  no  termi¬ 
nating  paths.  The  reader  should  be  able  to  convince 
himself  that  (1)  and  (2)  do  express  "tt  must  terminate" 
when  tt  is  closed.  There  does  not  appear  to  be  any  way  to 
express  "tt  must  terminate"  which  has  the  desired  meaning 
for  all  processes. 

There  is  an  algorithm  for  deciding  satisfiability  of 
formulas  in  C-GPL.  Following  Parikh  [Pa78] ,  we  embed 
nonstandard  C-GPL  into  SnS,  the  second  order  theory  of  n 
successors  (Rabin  (R69]).  SnS  is  recursive  by  Rabin,  and 
nonelementary  by  Meyer  {M74]. 

SnS  describes  strings  over  a  finite  alphabet  E*={s^,..., 

s  }.  There  are  two  kinds  of  variables:  first  order 
n 

variables,  ranging  over  l*,  and  second  order  variables, 
ranging  over  P(I*).  In  addition  to  variables  and  the 
symbols  3,  v,  there  are  primitive  formulas  for  relating 
variables: 

1.  x  «  ys.,  where  x  and  y  are  first  order  variables, 
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and  •  is  concatenation. 

2.  x  £  X,  where  x  is  first  order,  and  X  is 
second  order. 

Theorem  3.4.  SAT(N-C-GPL)  is  recursive. 

Corollary  3.5.  SAT (C-GPL)  is  recursive. 

Proof.  In  the  proof  of  theorem  3.1.  if  tN  is 
closed,  then  so  is  it  .  I 


Corollary  3.6.  Deterministic  C-GPL  is 
recursive . 

Proof .  We  showed  above  how  to  express 
"7i  is  deterministic"  in  GPL.  I 
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Proof  of  Theorem  3.4.  The  idea  is  to  encode  a  non¬ 
standard  structure  into  set  variables  in  SnS,  The 

structure  A  =  (U,tt,4i  ,  4>  )  is  coded  as  follows: 

0  0 

1.  Let  U  =  (u^u^,  ...  }.  u^  is  coded  as  ta1$. 

2.  The  finite  paths  of  v  can  be  coded  into  a  single 
set  variable  JI^.  A  finite  legal  path  is  represented  by 

a  string  in  (Ca*$)+«t,  where  t  is  a  special  symbol  flagging 
a  terminated  path.  A  blocked  path  is  represented  by  the 
sequence  of  states  up  to  the  first  block,  followed  by  the 
special  symbol  b. 

3.  Infinite  paths  are  coded  as  limits  of  sets  of 
finite  paths.  The  set  variable  IK  holds  all  finite  legal 
prefixes  of  infinite  paths  in  it.  Because  tt  is  closed, 
the  limits  of  infinite  prefix  chains  of  members  of  IK 
are  exactly  the  infinite  legal  paths  in  it. 

4.  Let  =  (P^  ...»  P^}.  For  every  l£i<k  there 

is  a  set  variable  which  holds  4>o(P^),  the  set  of  finite 
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legal  paths  which  satisfy  P^. 

Before  defining  the  translation  Q:C-GPL-+SnS,  we  list 
some  useful  abbreviations  for  SnS  formulas. 

1.  The  prefix  relation  x<_y  on  strings  can  be  expressed 
in  SnS  as 

x<y  =  V X  (xeXa/^\  (  VzeX)  {  3  weX)  (w=z  *s  .)  3  yeX)  . 
i=l  1 

2 .  x=y  £  x<y  a  y^x . 

3.  X  £Y  =  V x  (xeX  =>  xeY) . 

4.  singleton  (X)  =  Vx  Vy  (xeX  a  yeX=  x=y)  aBx(xeX). 

5.  ordered  (X)  =  x  is  linearly  ordered  under  prefix 

s  Vx  Vy  (xeX  a  yeX  »  (x<y  v  yfx) ) . 

6.  ascending  (X)  =  Vx  3y  (xeX  =>  yeX  a  x<y) . 

7.  infinitepath  (X)  «  X  represents  a  single  infinite 
path  =  ordered  (X)  a  ascending  (X) . 

8.  end  (x,si)  *3y(y=x«si). 

9.  If  R  is  a  regular  expression  over  E,  xeR  can  be 
expressed  in  SnS.  See  Parikh  [Pa78] . 

10.  in  ir(X)  *  (singleton  (X)  a  X£II{)  v 

(infinitepath  (X)aXCJI^). 

11.  inpretf(x)  ■  x  e($a*$)+A  3y  (x<y  a  yell^  u  JIf ) . 

Let  tA,  t2#  . ..  be  the  stage  variables,  and  h^,  h^  ... 
be  the  path  variables.  Associated  with  each  t^  is  a  first 
order  variable  x^.  The  value  in  x^  is  always  a  member 
of  (4a*$)+.  Associated  with  each  hA  is  a  set  variable 
XA,  which  contains  a  single  string,  ending  on  b  or  x, 


when  is  finite,  and  contains  all  finite  prefixes  of 
when  h^  is  infinite.  Define  T:C-GPL-*SnS  inductively 
as  follows: 

T(Pj(ti))  =  c  Fj . 

T (H (t^ ,hj ) )  =  singleton  (X ^ )  A  3  y (yeX ^ A  y'J^ *t ) . 

T(ti<tj)  = 

T(ti<hj)  =3y(ycXj  a  xA<y)  . 

T  (^p)  =  VT  (p)  . 

T(pvq)  -  T  (p)  v  T(q)  . 

TtJtjP)  =  3xi  (inpret  (xA)  a.  T(p) ) . 

T(  3hip)  *  3  Xi  (inn  (X^  a  T(p) )  . 

Let  R  =  (Ca*$)+.  Q:  C-GPL  •*>  SnS  is  defined  by 

Q  (p)  =  ( 3  nf,  Hi,  Fj,  ...»  Fj^) 

(ni  £  R  *  &  R*  (t  u  b)  A  /£.  F^  R 

a  ascending  (H^) 

Q  inpren  (x^) 

^Sinit(h.)  ) 

Claim.  P  e  SAT(N-C-GPL)  iff  Q(p)  is  true. 

Proof.  We  have  already  explained  how  to  obtain 
JIj,  «  F1#  . ..,  Fk  from  a  structure.  All  of  the  condi¬ 

tions  on  1I{,  ni#  Fj,  ...»  Fk  listed  in  Q(p)  are  easily 
seen  to  hold  for  the  values  obtained  from  a  structure.  It 
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is  routine  to  show  that  those  values  also  satisfy  T{p) , 

N 

provided  (A,f)  ^  p,  and  x^  and  x^  are  given  the  values 
associated  with  f(t^)  and  f(hj)  respectively,  for  all  i 
and  j . 

Conversely,  the  conditions  on  H^,  H^,  ,  ...»  F^ 

listed  in  0(p)  are  sufficient  to  ensure  that  Ilf,  IK,  F^ , 
...,  F^  define  a  structure.  The  process  of  that  structure 
is  clearly  closed.  Again,  it  is  routine  to  show  that 
T(p)  is  true  iff  (A,f)  p  p,  where  A  is  the  structure 
defined  by  nf,  IK,  F^ ,  ...,  F^,  and  f  assigns  the  values 
associated  with  x.  and  x.  to  t.  and  h.  respectively,  for 

A  J  *  J 

all  i  and  j.  ® 

Theorem  3.7.  SAT(C-GPL)  is  not  elementary  recursive. 

Proof .  The  proof  of  theorem  3.2  requires  only 
singleton  processes,  which  are  closed.  I 

3.6.  GPLm 

In  Chapter  4  we  define  a  modal  logic  MPL,  and  show 
that  MPL  is  decidable.  GPLM  is  a  subset  of  GPL  which  is 
expressively  equivalent  to  MPL  over  MPL  environments, 
which  are  a  subset  of  GPI^  environments.  Decidability  of 
GPLjj  follows  from  the  effectiveness  of  the  embedding  of 
GPLj,  in  MPL. 

While  SAT(GPLw)  is  not  elementary  recursive,  SAT (MPL) 

MM  W 

2  CD 

is  in  DTIME  (2  )  for  some  constant  c.  Hence,  even  though 
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MPL  and  GPLM  have  equal  expressive  power*  MPL  seems  to  be 
a  more  reasonable  logic.  The  main  purpose  in  studying 
GPL„  is  to  get  a  handle  on  just  how  powerful  MPL  is. 

The  GPL„  formulas  are  characterized  by  the 
following  rules. 

1.  Every  GPL^  formula  has  only  one  path  variable  h, 
though  h  may  be  repeatedly  requantified. 

2.  Every  subformula  of  the  form  3h  p  of  a  GPLM 
formula  has  exactly  one  free  variable. 

3.  h  can  only  be  quantified  relative  to  some  stage 
variable*  as  (3h  _>  t)p. 

4.  Every  stage  variable  s  can  only  be  quantified 
beyond  another  stage  t,  and  on  path  h,  as  3s(t>s>hAp). 

GPLU  can  be  regarded  as  an  extension  of  Gabbay 
et  al.'s  [GPSS80]  future  temporal  logic  (FTL) .  An  FTL 
formula  describes  a  particular  path  h.  Path  quantifiers 
are  not  allowed*  and  stage  quantifiers  range  over  h.  In 
addition*  every  stage  quantifier  must  have  the  form 
( 3  8>t) *  where  t  is  a  distinguished  stage  variable. 

GPL*  permits  path  quantifiers  in  certain  settings. 
Wherever  P(s)  may  appear  in  an  FTL  formula*  (3h>s)p 
may  appear  in  a  GPL*  formula,  where  only  s  is  free  in 
(3h>s)p.  Thus  a  means  is  provided  of  considering  all 
possible  continuations  from  a  given  point  on  a  path. 

The  restrictions  made  on  GPLM  are  superficially 
similar  to  those  made  by  Farikh  on  SOAPL.  However* 


unlike  SOAPL,  whose  every  satisfiable  formula,  according 
to  Parikh,  is  satisfied  by  a  closed  process,  GPI^  contains 
formulas  which  are  satisfied  only  by  processes  which  are 
not  closed.  An  example  of  such  a  formula  is  a  modification 
of  the  one  given  for  GPL  on  page  84.  in  abbreviated 
form  it  is: 

1.  (Vh>t)(3t',  t<t'<h)(Vt",  t<t~<h)  (t"<t') , 

and 

2.  ( V  h >t )  (V  t ' ,  t<t'<h)(3h>t')(3t",  t'<t"<h) 

(t'<t") . 

In  words, 

1.  Every  member  of  it  is  finite,  i.e.,  there  is  a 
maximal  stage  on  every  path. 

2.  For  every  stage  of  every  path,  there  is  a  longer 
stage,  possibly  of  a  different  path. 

In  Chapter  5  we  show  that,  when  programs  are  added 
to  mpl,  MPL  can  simulate  SOAPL. 

While  closed  processes  are  not  sufficient  for  all 
GPL^  formulas,  there  is  a  different  countable  class  of 
processes  which  is  complete  for  GPI^,  in  the  sense  that 
every  satisfiable  formula  is  satisfied  by  an  environment 
whose  process  is  a  member  of  the  class.  That  class  is  the 
class  of  LL-processes,  defined  in  Chapter  4.  There  it  is 
shown  that  LL-processes  are  complete  for  MPL. 

GPLjj  is  a  real  restriction  of  GPL.  Even  without 
using  path  variables ,  we  can  write  a  GPL  formula  which  is 
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not  equivalent  to  any  GPLj^  formula  in  all  environments. 

Such  a  formula  is  D  =  (3t^,  t2)  (t^  ft  t2).  D  is  not 

a  GPLm  formula,  for  t^  and  t2  are  not  quantified  relative 

to  any  path.  D  simply  states  that  there  are  two  distinct 

stages  in  pre(u).  Consider  the  two  structures  A1  and  A 2, 

both  with  states  {0,1},  ♦  *=  0  and  A  *  0,  but  with 

o  o 

*  { < 0 ,  A )  )  and  tt2  *  {  (0, \)  ,  (1,  X)  } .  Clearly  A^  does  not 
satisfy  D,  while  A 2  does.  In  GPLM  it  is  only  possible  to 
compare  stages  on  the  same  path.  But  in  A^  and  A2  every 
path  has  only  one  prefix,  namely  itself,  so  s<t  is  always 
true.  Clearly,  GPLM  cannot  distinguish  A^  from  A2« 

The  proof  of  theorem  3.2  is  easily  modified  to  give 
the  result  that  GPL„  is  not  elementary  recursive. 

Here  is  a  summary  of  our  results  concerning  GPLM. 

GPLm  is  decidable  but  nonelementary. 

GPL^  is  strictly  less  expressive  than  GPL. 

SAT  (GPL„)  ft  SAT  (Closed  GPLM) . 

GPLj^(MPL)  with  programs  (see  Chapter  5)  is  more 
expressive  than  SOAPL. 

3.7.  Open  questions 

As  mentioned,  we  do  not  know  whether  GPL  is  decidable, 
although  it  is  at  best  nonelementary.  Although  there  are 
aatisfiable  GPL  formulas  which  are  not  satisfiable  by  any 
closed  process,  there  may  be  another  countable  class  of 
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processes  which  is  complete  for  GPL.  A  candidate  is  the 
class  of  LL-processes,  which  is  at  least  complete  for  the 
subset  GPLM«  Though  we  do  not  know  whether  LL-processes 
are  complete  for  GPL,  neither  do  we  know  of  any  satis- 
fiable  formula  which  is  not  satisfiable  by  an  LL-process. 
Whether  or  not  LL-processes  are  complete  for  GPL,  they 
form  an  interesting  class,  and  a  study  of  GPL  over  them 
would  be  worthwhile. 

We  mentioned  that  we  do  not  believe  it  is  possible 
in  GPL  to  state  that  it  must  terminate,  though  we  have 
not  proven  it.  Along  the  same  lines,  is  it  possible  in 
GPL  to  state  that  u  is  closed?  That  u  is  an  LL-process? 
(We  conjecture  "no"  in  both  cases.) 


r  A  -i 


Chapter  4 

Modal  Process  Logic 

In  this  chapter  we  define  a  process  logic  MPL,  which 
is  based  on  the  use  of  certain  operators  to  express  proper¬ 
ties  of  processes,  rather  than  on  explicit  quantification 
of  variables.  We  show  that  the  expressive  power  of  MPL 
exceeds  that  of  some  other  proposed  process  logics,  and 
is  equal  to  the  expressive  power  of  GPL^.  Nevertheless, 

MPL  has  an  elementary  recursive  decision  problem.  A  major 
portion  of  this  chapter  is  spent  presenting  an  algorithm 
for  deciding  validity  of  MPL  formulas,  and  proving  that  the 

algorithm  works.  The  worst  case  running  time  of  the 
-cn 

algorithm  is  0{2Z  )  on  inputs  of  length  n,  for  some  con¬ 

stant  c,  and  is  far  less  on  many  inputs.  Lastly,  we 
derive  a  complete  proof  system  for  MPL  from  the  decision 
algorithm. 

4.1.  An  introduction  to  modal  process  logic. 

The  process  logics  studied  in  Chapter  3  all  involved 
explicit  variables  and  quantifiers.  While  quantifiers 
are  powerful,  they  can  be  difficult  to  deal  with,  both  on 
a  formal  and  an  intuitive  level.  An  alternative  is  to  make 
quantifiers  implicit  in  certain  operators.  For  example, 
rather  than  expressing  global  invariance  as  VtP(t), 


we  could  create  an  operator  "GI,"  and  simply  write  GI(P). 
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A  modal  logic  can  look  very  much  like  propositional  cal¬ 
culus,  with  a  few  more  operators,  and  can  be  handled  in 
ways  reminiscent  of  standard  methods  for  dealing  with 
propositional  calculus.  Proof  systems  for  modal  logic  can 
be  elegant,  not  having  to  deal  with  the  problems  arising 
from  explicit  variables. 

Some  languages  which  fit  into  the  modal  process  logic 
class  are  described  briefly  below. 

Hoare's  logic  [Ho69] ,  based  on  the  partial  correctness 
assertion  p{A}q,  was  one  of  the  first  to  be  studied.  The 
partial  correctness  statement  p { n ) q  can  be  expressed  in 
GPL  as  (  Vh  )  (p  (t)  »  (Vt"fh)  (H  (t "  ,h)  »  q  (t) )  ,  quite  a  long 
statement  of  a  relatively  simple  property.  Hoare  Logic  has 
the  nice  property  that  the  statements  it  is  designed  to 
handle  can  be  expressed  concisely.  An  obvious  shortcoming 
of  Hoare  Logic  is  that  only  partial  correctness  can  be 
expressed. 

Pratt's  Dynamic  Logic  [Pr76]  extends  Hoare's  Logic. 
Dynamic  Logic  is  based  on  the  operator  [A].  [A]p  holds  at 
state  u  if  p  holds  at  every  state  where  A  could  terminate, 
after  being  started  in  state  u.  The  Hoare  style  partial 
correctness  assertion  p{A}q  can  be  expressed  in  Dynamic 
Logic  as  p9  [A]q. 

While  Dynamic  Logic  is  a  termination  oriented  logic, 
more  general  properties  of  programs  can  be  expressed  in 
an  augmented  version  of  Dynamic  Logic.  We  simply  add 


whatever  new  operators  we  desire.  Pratt  (Pr78J  suggests, 
among  others,  a  global  invariance  operator  (A)p,  meaning 
that  p  holds  throughout  the  execution  of  program  A. 

Dynamic  logic  illustrates  a  general  property  of 
modal  logics:  a  formula  is  not  simply  true  or  false, 
but  is  true  at  a  given  state,  or,  in  the  case  of  logics 
to  follow,  at  a  given  stage  on  a  given  path. 

Hoare  style  logic  and  Dynamic  Logic  are  closely  tied 
to  programs  as  syntactic  entities.  But  other  languages 
have  been  studied  which  do  not  include  programs,  and  so 
are  more  like  GPL.  A  logic  of  Pnueli  [Pn79]  has  two  basic 
operators,  G  and  X.  Gp  (generally  p)  holds  at  stage 
t  on  path  if  p  (x^)  holds  for  every  t  <  t'  <  1(1.  Xp  holds 
at  stage  t  on  path  if  p  holds  for  the  successor  of  x 
on  if*.  Pnueli  deals  only  with  infinite  paths,  so  there  is 
no  concern  over  whether  the  successor  of  x  exists. 

Gabbay,  Pnueli  et.  al.  IGPSS80]  study  a  logic  based  on  the 
operator  until  suggested  by  Kamp  IK68] ,  in  terms  of  which 
both  G  and  X  can  be  expressed.  They  present  a  proof  system 
for  the  logic  of  until  and  show  that  any  statement  which  can 
be  made  using  explicit  time  variables  and  quantifiers 
(or,  in  the  GPL  sense,  stage  variables  and  quantifiers)  can 
be  expressed  in  the  logic  of  until .  (p  until  q)  holds 
at  stage  t  if  q  holds  for  some  t'  M  on  (i,  and  p  holds  for 
every  r"  between  t  and  t**. 

Owicki  [Ow78]  suggests  an  operator  while,  p  while  q 


In  view 


meaning  "p  holds  as  long  as  q  continues  to  hold." 
of  the  fact  that  p  until  q  can  be  expressed  in  terms  of 
while  and  X,  it  is  of  little  concern  which  basis 
is  chosen. 

It  is  important  to  notice  that  the  meaning  of  all  of 
the  operators  G,  X,  until  and  while  can  be  expressed  in 
terms  of  stage  quantifiers  only.  Hence  any  logic  based 
solely  on  them  must  be  severely  restrictive  in  its  use  of 
path  quantifiers.  Lamport  [L80] ,  in  his  branching  time 
logic,  and  Abrahamson  (A79] ,  go  to  the  other  extreme, 
forcing  path  quantifiers  and  stage  quantifiers  to  appear 
in  pairs. 

Recently,  Nishimura  [N79]  and  Harel ,  Kozen  and 
Parikh  [HKP80]  have  extended  the  logic  of  until,  introducing 
operators  which  stand  for  path  quantifiers  relative  to  cer¬ 
tain  programs.  These  logics  were  unknown  to  us  when  we 
developed  MPL,  and  seem  to  extend  the  language  of  until 
in  a  slightly  different  direction.  As  programs  are  an 
integral  part  of  those  logics,  we  discuss  them  in  Chapter  5. 

4.2.  The  logic  MPL 


There  are  two  types  of  operators  in  MPL,  stage  opera¬ 
tors,  which  replace  stage  quantifiers,  and  path  operators, 
which  replace  path  quantifiers.  Additionally,  there  is 
a  special  symbol  H  which  replaces  H(t,h).  MPL  can  be 
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regarded  as  a  syntactic  restriction  of  GPL^ ,  and  we  give 
the  GPLm  equivalent  of  each  operator  when  defining  it. 

The  truth  value  of  an  MPL  formula  depends  on  a  particular 
path  and  a  particular  stage  on  that  path.  Reflecting  that 
are  the  two  free  variables  h  and  t  in  the  GPL^  equivalents 
of  MPL  formulas. 

Stage  operators 


Stage  operators  are  used  to  express  properties  of  a 
given  path.  There  are  two  primitive  operators,  Y  and  W, 
the  rest  being  defined  in  terms  of  them. 

1.  Yp  means  "if  there  is  a  successor  to  t  or  h, 
then  p  holds  there,"  and  is  equivalent  to  the  GPLM  formula 

Yp  =  (Vs,  t<s<h)  ((  Vr,  t<r<h)(r<tvs<r)3p(s)). 

2.  Xp  =  'VY'^-p  means  "there  is  a  successor  to  t  on  h, 
and  p  holds  there." 

3.  pWq  (p  while  q)  means  "as  long  as  q  continues  to 
hold  beyond  t  on  h,  p  continues  to  hold,"  and  is  equivalent 
to  the  GPL„  formula 

M 

pWq  =  (Vs,  t<s<h)  ((Vr,  t<r<h)  (r<s  3  q  (r) )  o  p  (s) )  . 

4.  pBq  i  W'vq)  (p  before  q)  means  "p  holds 

at  some  stage  t^>t,  and  q  does  not  hold  at  any  stage 
before  or  equal  to  t'." 

5.  G.p  5  pw  true  (generally  p)  means  "p  holds  at  every 


stage  beyond  t  on  h." 


6.  Fp  =  'vG'v-p  £  p  B  false  (in  the  future  p)  means 


"p  holds  at  some  stage  beyond  t  on  h." 

Although,  as  mentioned  earlier,  W  and  Y  can  both  be 
expressed  in  terms  of  the  single  operator  until ,  we  find 
the  two  operators  W  and  Y  more  convenient.  Until  is 
expressed  in  terms  of  W  and  Y  as 
p  until  q  =  X(Fqx  pW^q) . 

Path  operators 

We  have  already  given  compelling  reasons  for  having 
path  quantifiers  in  GPL.  The  same  reasons  are  equally 
compelling  for  MPL.  As  a  substitute  for  path  quantifiers, 
we  introduce  the  operator  D,  suggested  by  Michael  J. 
Fischer  [private  conversation) ,  and  its  dual  0.  □  univer¬ 

sally  quantifies  a  certain  path  variable  h,  and  0  existen¬ 
tially  quantifies  h. 

1.  Dp  is  equivalent  to  the  GPL„  formula  (  V  h>t) 
p(t,h) . 

2.  Ops  'vQ'up  is  equivalent  to  the  GPLM  formula 
(3  h>t)p(t,h) . 

4.3,  Formal  semantics  of  MPL 

A  formal  semantics  for  MPL,  independent  of  GPL^,  is  as  follows: 
An  environment  E  *  (A,iM)  consists  of  a  structure  A  *  <U,*,4>0,$0) , 
a  path  iJict,  and  a  stage  x  <  i|>.  We  write  i|/,x*  p  for  (A,4>,x)  ►  p  when 
A  is  understood.  Let  P  c  and  p,q  c  MPL. 
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1. 

P  C  MPL; 

♦  .T  P  P 

iff 

end  (t)  c  4>0(P)* 

2. 

H  C  MPL; 

<J<,T  P  H 

iff 

3. 

*vp  e  MPL; 

\Ji,T  p  ^p 

iff 

not  (ip , t  p  p)  . 

4. 

pvq  e  MPL; 

Y  /  T  p pvq 

iff 

1l>,T  P  p  or  P  q. 

5. 

Yp  c  MPL; 

p  Yp 

iff 

( (  i^=t  <  U"*v  >i^  '  and 

i  <u-*v>legal )  i^,T<u-kv>  p  p)  . 

6.  pWq  c  MPL;  4* ,  t  p  pWq  iff  for  every  legal  t  ' , 

"  K  q))=*  p. 

7.  Dp  c  MPL;  ip,r  P  Dp  iff  (  V  \p  '>i  ,$-'cv)  (C  '  #  t  P  p)  . 

We  have  already  shown  that  MPL  can  simulate  the 

operators  G,  X  and  until.  Gabbay  et.  al.  [GPSS80 ]  describe 
a  number  of  properties  which  can  be  expressed  in  terms  of 
those  operators ,  which  we  do  not  repeat  here.  MPL  can 
of  course  express  all  of  those  properties.  MPL  can  express 
properties  not  expressible  with  G,  X,  until  and  while  alone 
Lamport  [L80]  gives  a  language  with  two  operators  D  and 
,  and  gives  two  different  sematics  for  □  and  , 
which  he  calls  the  "linear  time"  semantics  and  the  "branch¬ 
ing  time"  semantics.  Lamport  shows  that  each  version  can 
express  properties  not  expressible  in  the  other  version. 

MPL  can  simulate  both  versions.  To  avoid  confusion,  we 
rename  Lamport's  □  operator  BOX. 

Under  linear  time, 

BOX  p  =  Gp, 
p  =  Fp. 
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Under  branching  time, 

BOXp  =  OGp 
-w\*p  =  QFp. 

MPL  can  simulate  PDL,  provided  programs  are  strongly 
restricted.  Only  A  and  A*  are  permitted,  where  A  is  a 
particular  basic  program.  A  PDL  formula  p  is  translated 
to  MPL  formula  p'  by  replacing 
I  A]  q  by  G  Yq  , 
and  [A*]q  by  GGq. 

Given  a  PDL  model  for  p  which  assigns  to  A  the  rela¬ 
tion  p (A) ,  we  can  find  an  MPL  model  for  p'  whose  process  is 
ti  =  p(A)U),  all  infinite  paths  whose  transitions  are  pairs 
in  p (A) .  Conversely,  suppose  A  is  an  MPL  model  for  p'  with 
process  ir.  We  define  a  PDL  model  with  states  pre(n),  and 
p  (A)  =  {  (x,y)  :  x,y  e  pre(Tt),  y=succ(x)}.  To  make  basic 
formulas  go  through  basically  unchanged,  we  must  use 
nonstandard  MPL,  rather  than  standard  MPL.  Nonstandard  MPL 
is  defined  analogously  to  nonstandard  GPL  (see  Chapter  3) . 
As  there  is  a  simple  embedding  of  MPL  in  GPL,  the  nonstan- 
dard-satisf iable  formulas  of  MPL  are  just  the  standard 
satisfiable  formulas. 

As  a  consequence  of  the  embedding  of  PDL  over  A  and 
A*  in  MPL,  Fischer  and  Ladner's  [FL79J  DT1ME (cn)  lower 
bound  on  PDL  applies  to  MPL  as  well. 

The  classical  modal  logics  T,  S4  and  S5  are  all 
embedded  in  MPL,  Fischer  and  Ladner  remark  that  T,  S4 


and  S5  are  embedded  in  PDL  over  A  and  A*.  Let  L  be  the 
modal  operator  "for  all  visible  worlds."  By  the  PDL 
simulation,  it  can  be  seen  that  in  T,  Lp  is  p^D  Yp. 

In  S4 ,  Lp  is  just  OGp.  For  our  simulation  of  S5,  we 
prefer  to  point  out  the  similarity  between  the  □  operator 
of  MPL  and  L  of  S5.  Let  worlds  correspond  to  members  of 
7T ,  The  value  of  P(x)  for  x  z  tt  is  determined 

by  the  value  of  P  at  the  second  state  on  x. 
Thus,  to  translate  an  S5  formula  to 
MPL,  replace  L  by  O  and  basic  formula  P  by  XP. 

MPL  can  express  absence  of  deadlock.  An  absence  of 
deadlock  statement  must  express  that,  whenever  a  path 
blocks,  there  is  an  alternative  path  which  does  not  block 
in  the  immediate  future.  Termination  is  considered  a 
normal  condition. 

it  cannot  deadlock  ■  DG(H  v  OX  true). 

4.4.  Relation  of  MPL  to  GPLU 

Let  GPLM^  be  the  GPLM  formulas  with  a  single  free 
stage  variable. 

GPLm1  formulas  can  be  characterized  by  the  following 
two  rules. 

1.  If  p  is  a  TL^  formula  relative  to  path  h  (every 
quantifier  has  the  form  (3  s,  t<s<h) ) ,  then  p  is  a  GPLM1 


formula 
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2.  If  p(s)  is  a  GPL^  formula  with  only  s  (and 
possibly  h)  free,  then  GPLM^  *s  closed  under  substitution 
of  (2h>s)p(s)  for  P(s),  where  P  is  a  basic  predicate. 


In  this  section  we  show  that  MPL  and  GPLMl  can 
express  the  same  properties.  Environments  for  GPLk, 
and  MPL  are  almost  the  same,  each  consisting  of  a  struc¬ 
ture,  a  path,  and  a  stage.  Thus  it  makes  sense  to 
say  i|i,t  ►  p,  where  p  is  a  GPLM1  formula.  The  only 
difference  is  that  in  a  GPL„  environment  the  stage  need 
not  be  a  prefix  of  the  path,  which  it  must  in  an  MPL 
environment.  We  get  around  that  by  considering  MPL 
environments  only,  saying  that  MPL  formula  p  and  GPL 
formula  p'  are  equivalent  if  E  k  p  iff  EM  p'  for  every 
MPL  environment  E. 
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Theorem  4.1.  There  is  a  recursive  translation  T 
from  GPLm1  formulas  to  MPL  formulas  such  that  for  every 
MPL  environment  E  and  every  GPLMl  formula  p,  EM  p  iff 
E  ►  T  (p) .  conversely,  there  is  a  recursive  translation  T“  from  MPL 


•&aaL&si~ 
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formulas  to  GPL^  ^  formulas  such  that  for  every  MPL  environ¬ 
ment  E  and  MPL  formula  q,  E  t>  q  iff  E  h  T'(q). 

Proof .  Translation  T '  has  already  been  given.  To 
find  T,  we  follow  Nishimura  {N80 ] ,  who  applies  the  results 
of  Gabbay  et.  al.  [GPSS80]  to  a  logic  similar  to  MPL. 

Let  TL  be  the  predicate  calculus  of  a  total  order  <  with 
monadic  uninterpreted  predicates,  and  let  TL^  be  the  formu¬ 
las  of  TL  with  at  most  one  free  variable. 

Kamp  (K68]  shows  that  TL^  is  expressively  equivalent 
to  the  logic  L(u,s)  of  two  operators,  until  and  since, 
defined  in  terms  of  TL  as 

P  until  q  =  (  3  s>t)  (q(s)  *,  Vr(t<r<s=>  p(r) ) , 

p  since  q  =  (3s<t)(q(s)  a  vr  (s<r<t  =>  p  (r ) )  . 

Although  until  can  be  expressed  in  terms  of  W  and  Y,  since 
cannot,  for  since  looks  into  the  past  from  time  t,  while  W 
and  Y  look  only  into  the  future.  Gabbay  et.  al.  show  that 
the  logic  L(u)  of  until  only  is  expressively  complete  for 
those  formulas  of  TL  which  look  only  into  the  future.  A 
future  formula  of  TL^  is  a  formula  with  one  free  variable 
t,  and  such  that  every  quantifier  in  the  formula  has  the 
form  (y*>t)  or  {3  s>t).  " 

Theorem  4.2.  (Gabbay  et  al.)  There  is  a  recursive 
translation  P  from  the  future  formulas  of  TL^  to  L(u) 
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such  that  in  every  model,  TL^  formula  p  holds  at  time  t 
iff  F(t)  holds  at  time  t.  I 

The  proof  of  theorem  4.2  can  easily  be  modified  to 
handle  the  termination  formulas  H(t)  in  TL^  and  H  in  L(u). 
Because  W  and  Y  can  simulate  until ,  we  can  replace  L(u) 
by  O-free  MPL.  Future-TL^  is  just  GPLMl  without  path 
quantifiers,  the  path  h  providing  the  time  domain.  However, 
in  both  L(u)  and  TL^  basic  predicates  are  interpreted  over 
times,  or  stages,  rather  than  over  states.  Thus  L(u)  is  a 


subset  of  nonstandard  MPL,  and  future-TL^  is  a  subset  of 


nonstandard  GPLMl- 


Theorem  4.2  can  be  modified  as  follows: 


Theorem  4.3.  There  is  a  recursive  translation 
F  from  path-quantifier-free  (pqf)  GPLMl  formulas  to  □ -free 
MPL  with  the  property  that  for  every  nonstandard  structure 
A  *  40*$0)  /  every  i|i  e  it,  every  stage  t  <_  ty,  and  every 

pqf  GPLw,  formula  p,  A,V»,t  F N  p  iff  A,i|/,t  F(p).  I 

In  order  to  prove  theorem  4. 1 ,  we  must  extend  F 
to  all  of  GPL.,,.  Translation  T  is  simultaneously  defined 
and  proved  to  satisfy  theorem  4.1  inductively  on  the  length 
of  p.  To  avoid  confusion,  denotes  truth  in  GPL^,  and 
►  „  denotes  truth  in  MPL.  The  superscript  N  is  dropped 
from  ►  for  clarity,  and  A,4>,t  ►  p  is  abbreviated  ¥>,t  ►  p. 
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Suppose  p  has  the  form  (3h>t)a.  Define 
T ( (  3  h>t)a)  =  $T(a)  . 

Then 

r  T  hG  (3  hj>  t )  a 

(  3  C  >  t  *  ►  G  a), 

<=>  (3  <p*  c  V)  to*  >  Ta^.t  *m  T(a) ) 

by  induction, 

C3  *’1  hMOT(a). 

On  the  other  hand,  suppose  that  p  =  a  does  not  begin 
with  (3h>t).  Let  F  be  the  translation  of  theorem  4.3. 
Define  R:GPLwi-*pqf  GPLMi  by  letting  R(q)  replace  every 
maximal  subformula  b  *  (3h>s)a'(s)  of  q  by  a  new  basic 
predicate  Qb(s).  Let  R"  :MPL-*-MPL  be  the  translation  which 
replaces  Qb  by  T(b).  T(a)  is  defined  as 

T (a  )  =  R'«F«R(a  )  . 

Claim.  For  every  and  j,  hG  a  iff 

T  (a ) . 

Proof.  Let  A  be  the  set  of  O-variables  used  by  R 

on  a  and  let  A'  *  (U,ir,$  u  A,$')  be  the  extension  of 

o  o 

A  to  Q-variables  which  assigns 
♦0'(P)  ■  for  P  e 

♦0"(Qb)  -  {ts  Ato0'i  b) 
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The  truth  of  b  «=  (  3h>s)a'(s)  does  not  depend  on  4»o, 
so  the  choice  of  \po  in  the  definition  of  4>o'(Q^)  is  arbi¬ 
trary,  and  $o'  is  well  defined. 

A, ifr,T  bG  a 

^A',tp,z  bG  R(a)  from  the  definition  of  <t', 

{=>A',4,,t  FoR(a)  by  theorem  4.3. 

But  for  every  and  i , 

0b 

T  E  ♦o'(0b). 

C4  A,4<,t  hGb 

£3  A,V,t  T(b)  by  induction,  for  b  is 

a  subformula  of  a.  Hence  replacing  Q*5  by  T(b)  cannot  change 
the  truth  value  of  any  formula.  Thus 

A,*,t  KGa  <=>  A,*,t  l=MR'*F0R(a), 

A,4«,t  ^MT(a) , 
which  proves  the  claim. 

All  that  is  left  to  proving  theorem  4.1  is  to  note 
that  we  have  proved  it  for  nonstandard  structures,  and 
standard  structures  are  a  special  case  of  nonstandard 
structures .  * 

We  note  that,  while  MPL  and  GPLM  have  the  same 
expressive  power  over  MPL  environments,  the  validity 
problem  for  MPL  is  elanentary  recursive,  while  that  for  GPI^  is  not. 

(Ihe  translation  T  given  above  is  not  elementary  recursive.  In  fact, 

P  is  not.)  That  leads  us  to  believe  that  MPL  may  be  a  more  suitable 


language  if  one  is  interested  in  verifying  the  validity  of  formulas. 

On  the  other  hand,  there  may  be  interesting  statements  which  can  be 
made  concisely  in  GPL^,  but  can  only  be  expressed  by  very  long  MPL 
formulas,  though  we  knew  of  no  such  statements. 

4.  5  Decidability  of  MPL 

This  section  proceeds  as  follows:  First,  we  define 
a  structure  called  an  LL-graph  (LL  stands  for  limited 
looping) .  For  each  LL-graph,  we  define  an  associated 
MPL  structure.  An  LL-graph  is  a  finite  representation  of 
its  associated  MPL  structure,  the  structure  possibly  having 
both  infinite  paths  and  infinitely  many  paths.  Not  all 
structures  can  be  represented  by  LL-graphs,  for  there  are 
only  countably  many  LL-graphs,  and  there  are  X  2  processes. 
Nevertheless,  the  LL-graphs  are  enough  for  our  needs. 

Next,  we  describe  the  algorithm  for  deciding  satis¬ 
fiability  of  MPL  formulas  (or,  equivalently,  validity  of 
MPL  formulas,  since  p  is  valid  iff  'vp  is  not  satisfiable. ) 
Given  a  satisfiable  formula  pQ,  the  algorithm  constructs 
an  LL-graph  L(p0) ,  whose  associated  structure  satisfies 
pQ.  On  the  other  hand,  given  a  formula  pQ  which  is  not 
satisfiable,  the  algorithm  noticeably  fails  to  construct 
an  LL-graph  for  pQ. 

Finally,  we  prove  that  the  algorithm  has  the  proper¬ 
ties  claimed  for  it  in  the  preceding  paragraph,  and  that 


■inaifeliAMar:  -A-*  :  .i.'. 
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it  requires  time  0(2^  )  in  the  worst  case. 


4. 5. 1 . LL-graphs 


A  common  approach  to  establishing  the  decidability 
of  a  logic  is  to  show  that  every  satisfiable  formula  is 
satisfied  by  a  model  of  bounded  size.  Then  one  way  to 
decide  if  a  given  formula  is  satisfiable  is  simply  to  try 
every  model  up  to  a  certain  size.  MPL  structures  can  be 
infinite  in  three  different  ways:  they  can  have  infinitely 
many  states,  infinitely  many  paths,  and  paths  of  infinite 
length.  While  it  is  possible  to  make  do  with  finitely 
many  states,  it  is  easy  to  write  formulas  which  are  satis¬ 
fiable  only  by  processes  which  either  have  infinitely  many 
paths  or  at  least  one  infinite  path.  For  example: 

1)  OGXtrue  forces  it  to  contain  at  least  one  infinite 
path,  and 

2)  O  G  0  X  true  a  DFYfalse  forces  it  to  contain  ar¬ 
bitrarily  long  paths,  but  no  infinite  paths,  and  so  forces 
ir  to  contain  infinitely  many  paths. 

An  infinite  process  ir  can  be  represented  as  the 
set  of  paths  in  some  finite  directed  graph.  But  there  is 
a  problem  with  that  approach;  the  set  of  paths  in  a  finite 
directed  graph  is  closed,  in  the  sense  of  C-GPL.  But  the 
satisfiable  formula  DG^Xtrue  a  DFYfalse  mentioned 
above  is  not  satisfiable  by  any  closed  process.  Neverthe- 


less,  directed  graphs  can  be  used  to  represent  processes, 
there  being  at  least  two  ways  to  define  a  non-closed 
process  from  a  directed  graph. 

1.  Define  the  process  associated  with  graph  G  to  be 
the  set  of  "fair"  paths  in  G,  where  a  path  is  fair 
provided,  if  it  passes  through  node  v  infinitely  often, 
then  it  passes  through  every  node  accessible  from  v  infi¬ 
nitely  often.  For  example,  the  set  of  fair  paths  in  the 
graph 


is  not  closed,  for  it  does  not  contain  the  infinite  path 
which  remains  in  v^  forever. 

2.  Let  a  directed  graph  have  two  different  types  of 
arcs,  called  O-arcs  and  X-arcs.  Define  the  process  asso¬ 
ciated  with  such  a  graph  to  be  the  paths  which  traverse 
finitely  many  O-arcs,  but  possibly  infinitely  many  X-arcs. 
It  is  clear  that  the  process  associated  with 


is  not  closed. 

We  adopt  both  methods  for  LL-graphs.  While  the  utility 
of  O-arcs  will  become  clear,  the  fairness  condition  is 
used  mainly  for  technical  reasons. 
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Definition .  An  LL-graph  is  a  six-tuple 

(V,  A^,  Ax,  VB,  4>0,4»0)  where 

(V,  A^uA^)  is  a  directed  graph  with  vertices  V, 

O-arcs  Aq  and  X-arcs  A^; 

Vc  c.  V  is  a  set  of  potential  block  vertices; 

$  is  a  finite  set  of  basic  formulas; 
o 

<t> Q:  ^  Q~*  * 

Additionally,  an  LL-graph  must  obey  conditions  LL1  and 
LL2.  Let  0  and  X  be  the  binary  relations  induced  by 
Aq  and  A^  respectively. 

LL1.  If  uOv  then  v  0  u.  (  Q  -arcs  are  bidirectional). 
LL2 .  If  u  0  v  then  u  e  4>0(P)  iff  v  e  for 

every  P  e$o  . 

The  purpose  of  LL1  and  LL2  will  become  clear  later. 

Definition.  An  arc-path  in  an  LL-graph  is  a  pair 
consisting  of  a  start  vertex  and  a  sequence  of  zero  or 
more  (or  infinitely  many)  arcs  defining  a  connected  path 
in  L. 


Definition.  A  route  r  in  an  LL-graph  is  an  arc-path 
which  satisfies  R1-R3. 

Rl.  r  contains  finitely  many  0*arcs. 

R2.  r  does  not  end  on  a  vertex  with  an  X-arc  leaving 
it. 

R3.  If  r  passes  through  vertex  u  infinitely  often 
and  there  is  a  path  of  zero  or  more  X-arcs  from  u 
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to  v,  then  r  passes  through  v  infinitely  often. 

Definition .  A  simple  route  is  a  route  which  contains 
no  O-arcs, 

Note  that  there  is  at  least  one  simple  route  starting 
at  any  vertex,  which  can  be  found  by  following  X-arcs  as 
long  as  they  exist,  using  some  fair  system  of  choosing 
between  X-arcs. 

We  are  now  in  a  position  to  define  the  MPL  structure 
Al  associated  with  an  LL-graph  L.  The  states  of  A L  are 
the  equivalence  classes  of  the  vertices  of  L  under  the 
equivalence  relation  0*,  the  reflexive  transitive  closure 
of  0 .  The  paths  of  are  obtained  from 

the  routes  in  L.  Given  a  route  r, 
define  the  path  r  by 

1)  erasing  all  0-arcs  in  r, 

2}  replacing  each  X-arc  (u,v)x  by  the  transition 
<u-*-v> t  where  u  is  the  equivalence  class  of  u, 

31  adding  the  transition  <A-»-A>  to  the  end  of  r 
when  r  is  finite  and  ends  on  a  vertex  in  Vfi. 

The  paths  in  AL  are  the  bars  of  the  routes  in  L.  Formally, 
given  L  ■=  (V,  A  ,  Ax,  Vfi,  ♦  f$o),  define  AL  =  (V, 
bY 

u  *  {v  c  V:  u  0*  v) , 

7  «  {uj  u  c  V), 


v  ■  {r;  r  a  route  in  L), 


ii 


<^P)  =  {u:  u  c  $  (P)  } . 
Example .  The  LL-graph 


with  4>o  (P)  =  {u,r}  and  =  0  represents  a  structure  with 
two  states,  u  and  w,  and  process  n  =  {  (u ,  <u-*-u>1<u-*-w> 
<w-*-w:-a;):  i>0)  u  {  (w,  <w-*-w>  u  }).  J q  (P )  =  {u}. 

4.5.2.  The  Decision  Algorithm  for  MPL 


Given  formula  the  algorithm  constructs  a  tableau 
for  Po,  which  is  a  generalization  of  an  LL-graph.  with 
each  node  u  of  a  tableau  there  are  associated  two  sets  of 
formulas  Su  and  Zu,  which  are  used  to  guide  the  construc¬ 
tion.  The  set  V_  and  function  4>  for  a  tableau  are  defined 

D  0 

in  terms  of  Su  by 

Vfi  =  {u:  MleSu}, 

4>0(P)  -  {u:  P  c  Su). 

Some  of  the  nodes  of  a  tableau  are  marked  consistent,  while 

others  are  marked  inconsistent.  The  consistent  subtableau 

Tc  of  T  is  obtained  by  deleting  all  inconsistent  nodes  and 

associated  arcs  from  T.  The  tableau  T'P  )  constructed  for 

o 

Po  is  designed  to  have  the  following  property.  Let  A 

be  the  structure  associated  with  T  (P  ),  u  be  any  node  in 

co 
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T  (P._)  »q  be  any  formula  in  2  2  S  ,  a  be  any  finite 

q  o  u  u  u 

arc-path  in  TC(P0)  ending  on  u,  and  ry  be  any  simple 
route  starting  at  u.  Then  A,  iTT^,  a~  b  q.  The  bar  of 
a^  is  defined  as  for  routes,  with  the  exception  that 
<0-*-0>  is  not  added  to  its  end.  By  constructing  T(pQ) 
so  that  Zy  contains  pQ  for  some  node  v,  we  see  that,  if 
v  is  consistent ,  then  A ,  avrv,  av  k  po,  where  av  =  (v,X) 
and  rv  is  a  simple  route  starting  at  v,  and  hence  pQ  is 
satisfiable.  Conversely,  we  show  that  if  pQ  is  satis- 
fiable,  then  Zy  contains  pQ  for  some  consistent  node  v. 


i 


r, 

( 

j 


i 


i 


The  method  of  constructing  T(pQ)  is  similar  to  other  j 

tableau  methods,  such  as  that  for  classical  modal  logic  j 

[HC68] ,  and  PDL  [Pr78J .  We  begin  by  setting  T  to  the  j 

tableau  consisting  of  a  single  node  v  ,  with  S  *  Z  =  ' 

°  vo  vo  i 

(Po).  T  does  not  yet  obey  the  properties  claimed 

for  T(pQ).  In  order  to  make  T  obey  the  claims, 

we  perform  transformations  on  T.  Each  transformation  is 

intended  to  make  one  formula  in  one  node  hold  for  simple 

routes  starting  at  that  node,  and  accomplishes  that  goal 

either  by  adding  new  formulas  or  creating  new  nodes.  For  f 

example,  if  Su  contains  'v(pvq),  a  transformation  replaces 

Mpvq)  by  *up  and  'uq,  in  hope  that  future  transformations 

will  cause  both  'up  and  'uq  to  be  satisfied.  If  Su  contains 
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pvq,  then  a  transformation  causes  u  to  split  into  two 
nodes  u"  and  u",  one  containing  p,  the  other  q. 
Transformations  try  to  make  both  u'  and  u"  satisfy  the 
claims,  but  need  only  succeed  for  one  of  them.  Consistent 
nodes  are  ones  on  which  transformations  succeed.  If  S 

u 

contains  “vYp,  a  transformation  creates  a  new  node  v, 
draws  an  X-arc  from  u  to  v,  and  places  ^p  (among  other 
formulas)  in  Sv-  If  some  alternative  for  v  is  consistent, 
then  u  is  consistent.  The  hardest  formulas  to  satisfy  are 
the  box  formulas.  The  transformations  first  must  reduce 
them  to  a  standard  form,  which  is  a  □  followed  by  a 
disjunction  of  one  or  more  formulas,  each  starting  either 
with  Y  or  'V/Y.  There  are  suitable  transformations  for 


formulas  in  standard  form.  'vD  formulas  are  also  re¬ 
duced  to  standard  form  in  order  to  avoid  splitting  trans¬ 
formations  (such  as  that  for  p  v  q)  from  applying  to  nodes 
with  O-arcs  pointing  to  them,  the  reasoning  being  that 
if  Su  contains  (Pv'vP),  one  alternative  of  u  contains  P, 
while  the  other  contains  ^P.  But  condition  LL2  requires 
that  nodes  linked  by  0"«rcs  satisfy  exactly  the  same  basic 
formulas.  Splitting  before  drawing  any  $-arcs  avoids  that 
problem. 

Transformations  are  applied  until  no  more  can  be 
applied.  At  that  point,  consistency  rules  are  invoked, 
causing  some  nodes  to  be  marked  inconsistent.  When  no 
more  consistency  rules  apply,  the  construction  is  finished, 


meat******  - 
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and  T  =  T(P0)  . 

Transformations  alter  both  S  and  2  sets.  Set 

is  a  "history"  set,  containing  every  formula  which  was 

ever  in  S  .  In  particular,  S  £  Z  .  Some  notation, 
u  r  u  u 

similar  to  Pratt's  (Pr78] ,  will  make  transformations 
easier  to  write. 

1.  p-*-q,  r  means  "if  S  contains  p,  then  set  S  :  = 

u  u 

(Su  -  {p ) )  u  (q,r),  and  Zy:  =  Zy  u  {q,r}." 

2.  p+q  or  r  splits  a  node  into  two  new  nodes. 

If  Su  contains  p,  replace  u  by  two  new  vertices  u'  and  u", 
with 

Su.  =  (Su  -{p})  V  {q},  Zu.  =  Zuu{q}, 

Su>>  =  (Su  -  {p})  U  {r},  1^,  -  Zu  u  {r}. 

If  any  X-arcs  used  to  point  to  u,  duplicate  them  for  u' 
and  u"  as  shown  below. 


Due  to  the  order  in  which  transformations  apply,  no  vertex 
with  a  0~arc  pointing  to  it  is  ever  split. 

3.  D  (a  v  p)  ■+  . . .  In  general,  □  is  followed  by  a 
disjunction  of  several  terms,  and  only  one  of  the  terms  is 
transformed.  The  disjunction  avp  is  thought  of  as  a  set 
of  formulas,  one  of  whose  members  is  p.  Transformations 
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very  similar  to  those  for  formulas  outside  the  scope  of 
□  apply  to  those  inside  the  scope  of  D. 

4.  p  $  A  is  an  abbreviation  for  two  rules,  one  for 
p,  the  other  for  'vp. 

P  ^  q,r  represents  (p  •+  q,r)  and  (%p  *♦  'wj  or  *^r)  . 
p  ^  q  or  r  represents  <p  •*  q  or  r)  and  ('vp  -*•  ^q,^r). 

Transformation  Rules 


The  transformation  rules  are  listed  below.  They  are 
broken  into  five  groups,  transformations  in  group  one  having 
the  highest  priority,  group  two  lower,  etc.  We  assume  that 
Pq  is  written  using  only  basic  formulas  and  the  symbols 
v.  H,  □,  w,  y,  (,  ) . 

Group  one 

TRl .  ^p  -»  p. 

TR2 .  p»  q  #  p  or  q. 

TR3.  pWq  ■»  V}  or  (p,  Y  (pWq)  )  . 

TR4 .  MpWq)  (q,  ^p)  or  (q,  p,  'VY(pWq)). 

Group  two 

TR5.  □  (a  v  vup)  D(avp). 

TR6.  □  (a  v  Mp  v  q) )  0  D(a  v  *vp)  ,  D(a  v  *vq)  • 

TR7.  D(avpWq)^  DUvVqvp),  D(a  v -vq  ^  Y  (pWq) )  . 

Trp.  D(a  v  -v(pWq))  ♦  D(avq),  D(a  v  *vp  v  'vY  (pWq) )  . 

Group  three 

TR9.  v  P)  ♦  Da  or  P  for  P  t 
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TRIO.  □(av'tP)  ^  O a  or  'tP  for  P  e  4^. 

TR11.  D(a  vDp)  ^  Da  or  Dp. 

TR12.  D(a  v  ^  Dp)  ^  Da  or  ^  Dp. 

(If  a  is  empty.  Da  is  false . ) 

Group  five  Rules  for  drawing  X-  and  Q-arcs. 

TR14.  a)  If  Su  contains  either  Mfp  or  Df^Yp^v... 
v'vYP^)  ,  create  a  new  vertex  v,  and  draw  an  X-arc  from  u 
to  v. 

b)  If  part  (a)  results  in  a  new  vertex  v, 

set 

Sv  -  Zv  “  <P*  *P  e  Su) 

Ut'vp:  Mfp  e  Su) 

u{(PjV  .  .  .v  pRv  ^  v  .  . .  v  «\*3k)  , 

D  (p  v  .  .  .  v  pk  v  ^  v.  .  .  v  -vqm)  : 

O (Yp^  v ...  v Yp^  v  ^Yq^  v . . .  v  ^Yq^) 

e  Su}. 

TR15.  If  contains  'v  DlYp^^  v  ...  v  Ypk  v  ^Yq^ 

v  ...  v  Mfq  )  and  there  is  no  node  v  such  that  u  0*v  and  S„ 
m  v 

contains  Mfp^  ,  ...,  ^Yp^#  ...»  Yq^  then  create  a  new 

node  v,  draw  a  bidirectional  O-arc  between  u  and  v,  and 
set 

Sy  *  Zv  *  {'V'Yp^,  •  < •  >  *',YPjt»  •••» 

v{P:  P  c  Su  and  P  c  ♦Q) 

uWP:  M>  c  S  .  and  P  c  *  } 
u  o 

u {Op:  Op  e  Su>. 

TR16.  Add  formulas  to  S  and  Z  sets  as  required 
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to  make  the  following  true. 

a)  If  Yp^  . ..,  Ypk,  -vYq^  ^Yq^  are 

all  of  the  Y  and  ^Y  formulas  in  Sy,  and  u  0*  v  for  some  v 
then  S v  contains  □  (^Yp^^  v  ...  v  ^Ypk  v  Yq^  v  ...  v  Yq^) 

b)  If  u  0*v,  then  Su  and  Sy  contain  the 
exact  same  formulas. 

(It  is  easy  to  show  that  TR16  cannot  cause  any  other 
transformations  to  apply,  or  affect  any  consistency  rules. 
Hence  the  algorithm  works  just  as  well  without  TR16. 
However,  the  correctness  proof  is  simplified  by  having  the 
redundant  formulas  which  TR16  adds.) 

A  quick  inspection  of  TR3  and  TR14  shows  that  the 
transformations  given  so  far  can  continue  to  create  new 
vertices  forever.  However,  after  some  time,  the  new 
vertices  will  be  identical  to  previously  constructed 
vertices.  The  filtration  rule  merges  similar  vertices. 
Filtration  should  be  performed  before  group  five  rules, 
to  prevent  the  creation  of  new  nodes. 

Group  four  (Filtration.) 

TR13.  If  Su  =  Sy  up  to  associativity  and  commu¬ 
tativity  of  v,  delete  u,  and  send  any  arcs  which  point 
to  u  to  v  instead.  Set  Zyj  ■  Zy  u  Zu« 


Consistency  rules 
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Cl.  If  Zu  contains  both  p  and  ^p,  then  u  is 
inconsistent . 

C2.  If  Su  contains  H  and  uXv  for  some  v,  then  u  is 
inconsistent . 

C3.  If  u  0  v  and  v  is  inconsistent,  then  u  is 
inconsistent . 

C4 .  If  there  is  some  v  such  that  uXv  and  every  such 
v  is  inconsistent,  then  u  is  inconsistent. 

C5.  If  Zu  contains  MpWq)  and  for  every  consistent 
node  v  which  is  reachable  from  u  by  a  path  of  zero  or  more 
X-arcs,  Zv  contains  p,  then  u  is  inconsistent. 

The  order  in  which  the  consistency  rules  apply  makes 
no  difference.  It  can  be  shown  that  a  weaker  version  of 
Cl,  which  only  looks  for  a  basic  formula  and  its  negation, 
is  sufficient.  The  present  version  simplifies  proofs. 

Example  1.  The  tableau  constructed  for  XP  a  0  X'*P 
(=  'u  (Mf'vp  v  O'V/YP))  is  drawn  below.  We  use  X  and  0  freely 
to  abbreviate  'VY'^  and  'v  D  *v. 


All  of  the  nodes  are  consistent.  The  sets  listed  are  the 
S  sets,  which  in  this  simple  example  equal  the  Z  sets  at 


122 


every  node.  The  formula  OXP  was  added  to  vq  and  by 

TR16.  Notice  that,  if  r  is  the  simple  route 

_  1  _  _ 

(v.  ,  (v,  v.)  ),  so  that  r  =  (v.  ,  <v.-»v,>)  ,  then  a*r  , 

ll,  V1  ll^  v^ 

a  P  XP  for  any  a  ending  on  v^.  On  the  other  hand,  if  r  is 
the  non-simple  route  (v^,  (v^,  (v^,  v^)  ),  so  that 

r  =  (v1#  <v1-v4»,  then  ar,  a  does  not  satisfy  XP.  This 
example  illustrates  a  second  function  of  O-arcs,  in 
addition  to  limiting  loop  traversals.  For  a  formula  such 
as  a  ...  a  0pn  to  hold  at  a  given  state,  there  must  in 

general  be  several  different  paths  through  that  state. 

0  -arcs  provide  a  means  of  splitting  a  state  into  n 
different  nodes,  in  such  a  way  that  node  i  is  responsible 
for  creating  a  path  which  satisfies  p^ 

Example  2.  The  consistent  subtableau  constructed  for 
G(FPaF^P)  is  drawn  below. 


It  is  clear  that  every  fair  route  satisfies  G(FPaF'vP), 
although  some  unfair  routes,  such  as  the  one  which  remains 
in  the  lower  left-hand  corner  forever,  do  not.  This  example 
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shows  that  the  fairness  condition  is  required  for  this 
particular  algorithm  to  work,  though  not  that  fairness  is 
required  for  there  to  be  an  LL-graph  satisfying  every 
formula,  for  the  graph  whose  only  route  alternates  between 
two  nodes,  one  containing  P  and  the  other  'vP,  also  satis¬ 
fies  G(FPaF'vP).  We  know  of  no  formula  which  seems  to 
require  fairness. 

Example  2  reveals  that  this  algorithm  sometimes 
constructs  non-closed  processes  to  satisfy  formulas  which 
are  satisfiable  by  closed  processes.  Thus  the  algorithm 
cannot  be  used  directly  to  decide  satisfiability  of  MPL 
formulas  over  closed  processes.  We  do  not  know  of 
any  better  means  of  deciding  closed  MPL  than  by  translating 
to  C-GPL,  and  testing  there. 

4.5.3.  Correctness  of  the  decision  algorithm 

Let  T(pQ)  be  the  tableau  constructed  for  pQ,  let 

T  (p  )  be  the  consistent  subtableau  of  T(p  ),  and  let 
C  O  o 

A  be  the  associated  structure.  We  begin  by  bounding 
the  time  spent  constructing  T(pQ). 

Theorem  4.4.  If  pQ  has  length  n,  then  there  are 
25n 

at  most  2  nodes  in  T(p  1  for  n  >  2. 

Proof.  Let  S(p_)  be  the  set  of  formulas  of  the 
-  *  o 

forms 


\ 

i 


rasas  .'-l 


-W- 


a)  p, 
c)  Yp, 
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b)  ^p, 

d)  'V'Yp , 

where  p  is  a  subformula  of  p  .  A  simple  induction  shows 

o 

that  S(p  )  has  at  most  4n  members.  It  is  not  difficult 
o 

to  show  that  every  formula  in  Zv  for  every  v  has  one  of 
the  forms 

1)  qr 

2)  Q  (q  v  . . . v  qk) , 

3)  %  0(q  v  .  ,  .  v  g.  )  , 

1  K 

where  q.  ,  . ..,  q,  are  members  of  S (p  ).  Thus  there  are 

-IK  O 

4  n 

no  more  than  4n  +  2*2  different  formulas  written  in 
nodes,  up  to  associativity  and  commutativity  of  v. 

By  the  filtration  rule,  no  two  distinct  vertices  can 
contain  the  exact  same  formulas,  so  there  are  at  most 


.  24n+l  -5n 

2*  <  2  different  vertices. 


Theorem  4.5.  SAT(MPL)  is  in  DTIME  (2  )  for 


some  constant  c. 


Proof.  We  leave  it  to  the  reader  that  T(p  )  can 
be  constructed  in  time  polynomial  in  the  number  of 
nodes  in  T(po)  in  the  worst  case.  For  example,  no  more 
than  25n  transformations  can  apply  to  any  given  node, 

and  all  of  the  formulas  in  a  node  have  length  at  most  cn 

• 


for  some  c 
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The  best  lower  bound  we  know  of  on  the  complexity  of 
MPL  is  the  single  exponential  time  bound  which  follows 
from  MPL's  ability  to  efficiently  simulate  PDL  over  the 
programs  A  and  A*.  Fischer  and  Ladner  [FL79]  prove  that 
PDL  over  A  and  A*  is  not  in  DTIME(cn)  for  some  c>l. 

Theorem  4.6.  The  satisfiability  problem  for  MPL 
is  not  in  DTlME(cn)  for  some  c>l.  I 

In  section  4.6,  we  present  a  proof  system  A  for  MPL. 
Our  goal  is  to  prove  the  following  theorem. 

Theorem  4.7.  Let  v  be  a  node  in  T(pQ),  and  let 
Pv  be  the  conjunction  of  all  formulas  in  Sv*  The  follow¬ 
ing  three  statements  are  equivalent. 

1.  'vp  is  valid. 

v 

2.  ^pv  is  provable  in  system  A. 

3.  v  is  inconsistent. 

The  remainder  of  this  section  is  devoted  to  proving 
(1)  (3).  (3)  (2)  and  (2)  ^  (1)  are  deferred  to  section 

4.6,  where  system  A  is  defined. 

First  we  show  that  correctness  of  the  decision 
method  is  a  corollary  of  theorem  4.7.  Assume  without 
loss  of  generality  that  pQ  has  the  form  Xp.  (If  pQ  has 
any  other  form,  we  can  test  Xp0,  which  is  valid  iff  pQ 
is  valid.)  Then  vq  is  never  changed,  and  py  *  pQ. 
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Corollary  4.8.  pQ  is  satisfiable  iff  vq  is 
consistent.  I 

Before  proving  (1)  ^0  (3),  we  prove  four  small  lemmas. 

Lemma  4.9.  In  the  completed  tableau  T(pQ),  if 
P  e  4>  o  ('vP ,  Op,^Op  respectively),  is  in  Su  and  u  =  v 
then  P(^P,  Op^DP  respectively)  is  in  Sv> 

Proof .  Lemma  4.9  for  'vOp  follows  from  the  action 
of  TR16.  For  P,  ^P  and  Dp  it  follows  from  the  fact  that 
TR15  copies  basic  formulas,  their  negations,  and  box 
formulas  across  O-arcs,  and  no  new  box  formulas  can  be 
created  after  TR15  applies,  * 

Lemma  4.10.  T_(p_)  is  an  LL-qraph. 

-  c  o 

Proof,  We  must  verify  that  T  (p  )  satisfies  LLl 
-  c  o 

and  LL2.  LLl  holds  because  TR15  draws  bidirectional 
0-arcs.  If  u  0  v,  then 

u  e  6  (P)  CO  P  e  S  by  definition  of  <{>  for 

0  u  o 

T, 

CO  P  t  Sv  by  lemma  4,9, 

CO  v  e  <t>Q  (P) , 

which  verifies  LL2 .  * 

Lemma  4,11.  Let  v  be  a  consistent  node,  and  let  py 
be  the  conjunction  of  all  formulas  in  Sy.  Then  for  every 
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f. 

[• 
I 

| 

I 

formula  q  in  Z^,  pv  =>  q  is  valid. 

Proof .  Formally,  the  proof  proceeds  by  induction 
on  the  number  of  transformations  which  have  applied, 
showing  that  lemma  4.11  holds  at  every  intermediate 
stage  in  the  construction  of  T(po),  as  well  as  in  T(po). 

Informally,  we  only  need  to  notice  that  each  transforma¬ 
tion  TR1-TR12  replaces  a  formula  by  an  equivalent  or 
stronger  formula.  For  example,  TR2  deletes  pvq  from 
Sv,  but  adds  either  p  or  q,  each  of  which  implies  pvq. 

TR14-TR16  do  not  remove  any  formulas  from  Sv<  TR13 
merges  v  with  v',  creating  a  new  node  v" ,  with  - 

Z  -u  Z  and  S  ....  =  S  *  =  S  which  clearly  preserves 
v  v  v  v  v 

i 

lemma  4.11. 

Lemma  4.12. 

a)  If  Z  contains  Yp  ('vYp)  and  uXw,  then  Z  contains 

u  w 

P  (H>)  • 

b)  If  Zu  contains  □  (Yp^  v . . .  v  Yp^  v  ^-Yq^  v  . . .  v 
'vYq  )  and  uXw,  then  Z  contains  □  (p.  v...v  p.v  vj.  v 

IT)  W  1  K  X 

...  V  'vqnj)  and  (Pj^  V  ...  V  Pk  V  'vq^  ^  ...  v  . 

Proof.  TR14  places  the  desired  formula  in  a  node 

which  is  an  ancestor  of  w  in  the  construction.  The  history 

set  Z  retains  the  formula,  I 

w 

Theorem  4.13.  Let  A  be  the  structure  associated 


\ 


128 


with  Tc(po).  Let  v  be  a  consistent  node  in  T(pQ),  ay 
be  an  arc-path  in  Tc(po>  ending  on  v,  and  rv  be  a  simple 
route  in  Tc(po)  starting  at  v.  Then  A,  av  ^  p 

for  every  p  in  Z . 

Corollary  4.14.  (  (1)  (3)).  If  v  is  consistent, 

then  pv  is  satisfiable. 

Proof.  There  is  a  simple  route  r  beginning  at  any 

given  node  in  TC(P0)»  which  can  be  found  by  following 

X-arcs  as  long  as  they  exist,  using  some  fair  method  of 

choosing  between  X-arcs.  By  theorem  4.13,  A,  r,  T  ^ 

/\  p,  which  implies  that  p  is  satisfiable. 
pezv 

Proof  of  theorem  4.13.  The  proof  is  by  induction 
on  the  order  ■<  over  formulas  which  makes  p  <  q  if  either 
p  has  fewer  W  symbols  than  q,  or  p  and  q  have  the  same 

number  of  W  symbols,  and  p  is  shorter  than  q.  If  p  4  q, 

we  say  that  p  is  smaller  than  q.  Each  possible  form  of 
p  is  considered  below.  We  generally  write  ry b q  for 

*V*v'  for  brevity.  We  say  that  v  contains  P  when  P 

e  V 

p.  p  c  Zy  O  P  e  Sv  because  P  is  not  reduced, 

v  e  $Q(P)  by  definition  of  $>o(P), 

v  e  $0(P)  by  LL2, 

O  rv  ►  P. 
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1 

i 


f 


M>. 

-vP  e  z 

V 

MP  e  Zy) 

by  Cl, 

• 

=$> 

Mrv  P) 

by  the  proof 

for  P, 

, 

r  ^  ^P 

V 

i 

H. 

H  e  Z 

V 

^3u(vXu) 

by  C2 , 

i 

and 

**  t  Sv 

by  Cl,  since 

H  is  not 

» 

reduced , 

\ 

i 

=>  r 

v  "  <*■*> 

f 

=>  r 

v*6  H 

i 

1 

.  Suppose  Ml  e  Zv-  Then  either  there  is  a  consis¬ 
tent  u  such  that  vXu,  or  rv  =  (v,X).  In  the  former  case 
r  by  R2,  which  prohibits  rv  from  ending  on  v. 

When  rv  *  (v,X),  *  (v,  <A^A>)  ,  and  r^  t=  Mi. 


'43bikA>  fittteaiw  ■ 


'A 
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'I'lp,  p  y  q,  Mp  v  q)  .  Trivial,  using  TRl ,  TR2 . 

pWq .  Suppose  pWq  is  in  Zy.  Let  the  nodes  on  route 

rv  be,  in  order,  v=v^ ,  v2 ,  ...  Because  ry  is  simple,  there 

is  an  X-arc  from  to  v^+i  for  all  i  _>  1 ,  up  to  the  end 

of  ry,  if  rv  is  finite.  By  TR3 ,  any  node  v^  containing 

pWq  also  contains  either  'uj  or  both  p  and  Y(pWq).  If 

the  latter  is  the  case,  then  by  lemma  4.12,  v^  +  ^  must 

also  contain  pWq,  provided  v^  +  ^  exists.  By  repeatedly 

applying  TR3  and  lemma  4.12,  we  see  that  either  v^ ,  ...» 

v^  all  contain  both  p  and  Y{pWq)  for  some  k  ^  0,  and 

vk+l  conta^ns  or  every  v^  contains  both  p  and  Y(pWq). 

Let  r.  be  the  suffix  of  r  which  starts  at  v.,  and  a  *r 
i  v  i  v  v 

=  a.’r^.  If  every  v^  contains  p,  then  by  induction 
a~r“,  a~  ^  p  for  all  i,  which  forces  ay *ry ,  a^  K  pWq. 

If,  on  the  other  hand,  v^,...,  v^  contain  p  and  v^+^ 
contains  'vq,  then  again  by  induction  ay»ry,  av  h  pWq. 

MpWq)  «  Suppose  v  contains  *MpWq) .  By  repeated 
application  of  TR  4  and  lemma  4.12,  as  was  done  for  pWq, 
we  see  that  either  every  node  on  ry  contains  q  and  p  and 
'v.Y(pWq),  or  every  node  up  to  some  point  contains  q  and  p 
and  'V'Y(pWq),  and  the  next  node  contains  q  and  ^p.  In  the 
latter  case,  by  induction  and  the  meaning  of  pWq,  ry  t 
'v-(pWq) .  In  the  former  case  ry  must  be  infinite,  for  by 
R2  ry  cannot  end  on  a  node  with  an  X-arc  leaving  it. 

Since  every  node  on  ry  contains  'vY(pWq),  TR14  draws  an 
X-arc  coming  out  of  every  node  on  ry,  and  by  consistency 
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rule  C4,  every  node  on  rv  (all  of  which  must  be  consistent) 

retains  at  least  one  of  its  X-arcs  in  T  .  Route  r  must 

c  v 

pass  through  some  node  w  infinitely  often,  so  by  the  fair¬ 
ness  of  rv,  rv  passes  through  node  u  infinitely  often  for 
every  u  which  is  reachable  from  w  by  a  path  of  X-arcs. 

But  every  node  on  rv  contains  both  p  and  MpWq)  .  Hence 
node  w  is  inconsistent  by  C5,  violating  the  fact  that  rv 

is  a  route  in  T  . 

c 

Yp.  Suppose  v  is  consistent  and  contains  Yp.  By 
lemma  4.12,  any  node  u  reachable  from  v  by  a  single  X-arc 
contains  p.  Suppose  ry  =  (v,u)xru«  By  induction,  r^  p, 
and  so  F  ^  Yp. 

Yp.  If  v  contains  Yp,  then  TR14 (a)  draws  an  X-arc 
coming  out  of  v.  By  C4,  there  must  remain  an  X-arc 
coming  out  of  v  in  T  .  The  rest  is  very  similar  to  Yp. 

^  □  p.  Suppose  v  is  consistent  and  contains  'vDp. 

By  TR15,  there  is  a  u  in  T  such  that  v  0  u,  and  by  consis¬ 
tency  rule  C3,  u  must  be  consistent.  TR15  places  formulas 
q^,  ...,  qn  in  p,  with  a  ...  a  q^  =  A<p,  and  each 
is  smaller  than  A-p.  If  ru  is  a  simple  route  starting  at  u, 
then  by  induction  r^  ►  qA  for  all  i,  so  r^  K  A,p.  Hence 
there  is  a  path  r^  in  A  starting  at  u  *  v  which  satisfies 
A.p,  which  implies  a^r,  a^-  h  a»  □  p  for  any  r,  in  particular 
for  ry. 

There  is  a  special  problem  with  the  box  formulas. 
Several  different  transformations  may  apply  to 


:  ,’j*.  UJK 
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D  (a^  v  ...  v  «n) #  although,  in  any  actual  construction, 
only  one  is  chosen.  For  that  reason,  it  is  not  technically 
correct  to  say,  for  instance,  that  if  □  (a  v  'vA-p)  is  in 
Zy,  then  □  (a  v  p)  is  in  Z  ,  for  a  may  have  been  reduced 
first.  But  some  disjunct  a^  of  □ (a^  v  ...  v  an)  is  re¬ 
duced  in  v,  and  we  may  consider  □ (a.  v  ...  v  a  )  to  be 

in 

of  the  form  □  (b  v  a^).  Thus,  when  proving  theorem 
4.13  for  O (a  v  p) ,  we  may  assume  that  p  is  immediately 
reduced  in  v. 

Q(a  v  'va-p)  ,  D(a  v  Mpvq)).  Trivial  inductions. 

D (a  v  P)  ,  D(a  v^P)  ,  D(a  v  Op)  ,  □  (a  v  i  □  p)  . 

Each  of  these  is  routine,  by  the  group  three  transforma¬ 
tions  and  the  valid  formulas 

1)  D  (a  v  P)  =  Oa  v  P, 

2)  D  (a  v  'v-P)  =  D  a  v  %P, 

3)  D (a  v  Dp)  s  D  a  v  □  p, 

4)  O(av^Op)  =  Dav^Dp. 

Formulas  (1)  -  (4)  can  be  recognized  as  valid  by  realizing 
that  formulas  P,  ^P,  Dp  and  'v  O  p  are  independent  of  the 
variable  h  quantified  by  □. 

We  have  considered  D(a  v  b)  for  every  form  of  b 
except  pWq,  MpWq) ,  ¥p  and  'v-Yp.  D(a  v  pWq)  and 
D  (a  v  MpWq) )  are  hardest  to  handle,  and  are  done  last. 
After  TR1-TR12  have  been  exhaustively  applied  to  v,  the 
only  remaining  □  formulas  in  Sy  have  the  form 
CKYPj^  v  •  •  •  v  Ypk  v  ^Yq^^  v  ...  v  ^Yq^)  for  *  i 


f 
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□  (Yp^^  v  <  #  «  v  Ypk  v  ^Yq^  v  ,  ,  ,  w  'vYq^)  .  Let  b  * 

Yp1  v  ...  v  Ypk  v  'uYqj  v  ...  v  aYq^,  and  c  *  v  .  .  .  *  Pj, 

<\,q^  v  ...  v  %qm.  Using  the  valid  equivalences 

1)  Y(pvq)  =  Yp  v  Yq  =  YpvXq, 

2)  X  (p  v  q)  =  Xp  v  Xq  , 
we  can  show  that 

1)  b  -  Yc  if  k  >  0, 


2)  b  =  Xc 


if  k  =  0. 


Case  1.  Assume  k  >  0,  and  Qb  e  Zv  (so  Ob  e  Sv, 
since  TR1-TR12  do  not  alter  Ob).  We  must  show  that 
ayrv,  aT  b  Ob,  that  is,  for  every  route  r  (not  necessarily 
simple)  starting  at  v,  ayr ,  aT  ►  b.  Let  r  consist  of  a 
sequence  d  of  zero  or  more  0-arcs  going  from  vtou,  followed 
by  an  X-arc  from  u  to  w,  followed  by  r“ ,  i.e.,  r  = 


d*(u,w)x«r  .  Then 
□  be  S.. 


Dc  e  Z. 


*  <u'w,xrw'  V 


by  lemma  4.9, 
by  lemma  4.12, 
i  •  (u,w)  ►  Dc,  by  induction, 


’I'#  ay*  d  •  (u,w)x  he  for  every  ij/>av*  d  •  (u,w) 
ayr,  ay* d • (u,w)x  b  c  since  r>d 7 (u,w)x  , 
a^r,  ay*<u^w>  ►  c, 
a^r,  %  ►  *c, 
a^r, 
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Case  2.  Assume  k  =  0  and  Db  e  sv.  By  lemma  4.9, 

□  b  is  in  Sy  for  every  u  =  v.  When  TR14  sees  Db  = 

D  Yq ^  v  ...  v  'vYq^)  in  Sy,  it  draws  an  X-arc  coming 
out  of  u.  If  v  is  consistent,  then  by  C3  u  is  consistent, 
and  by  C4  there  must  be  an  X-arc  leaving  u  in  Tc .  Thus 
no  route  can  end  on  any  u  equivalent  to  v,  so  for  every 
route  r  starting  at  v,  r  K  X  true.  It  remains  to  show 
that  r  £  Yc,  since  b  =  xc  =  X  true  a  y c.  That  was  done 
in  case  1. 

□  (a  v  pWq ) .  We  need  to  know  something  about  the 
formulas  to  which  D(a  v  pWq)  is  ultimately  reduced. 

Lemma  4.15.  Suppose  D  (aj^  v  ...  v  afi  v  Y(pWq)) 

is  in  Zv-  Then  there  are  formulas  q^,  ...,  q^  in  Sv 

such  that  q.  a  ...  a  q  3  0(a  v  ...  v  a  v  Y(pWq)) 

A  *■  i.  n 

is  valid,  and  every  q,^  either  has  no  more  W  symbols  than 

some  a . ,  or  is  (Yb.  v  . . .  v  Yb.  y  ^Yc.  v  . .  .  v  'v-Yc  v 
j  l  K  x  m 

Y ( pWq ) )  for  some  b. ,  ...  b.  ,  c.  ,  ...,  c  ,  k,  m  >  0,  where 

j.  k  l  m  — 

each  b^  and  c^  is  no  larger  than  some  a^. 

Proof.  Group  two  transformations  apply  to 
O  (a^  v  ...  v  *n  v  Y(pWq))  to  produce  several  formulas, 

O  (d^  v  ...  v  d^  v  Y(pWq))  for  i  «  1,  ...»  t,  and  it 

*  i 

is  easy  to  show  that  each  d^  is  either  some  a^  which  was  not 
reduced,  or  is  smaller  than  some  a^,  or  is  Ye  or  Mfe,  where 
e  is  no  larger  than  some  a^.  Group  three  transformations 
pull  each  d^  which  does  not  begin  with  Y  or  \Y  outside  of 


the  box,  and  further  transformations  on  d*  cannot  produce 
a  formula  with  more  W  symbols  than  d*  (although  they  can 
produce  longer  formulas) .  Thus  the  size  constraints  of 
lemma  4.15  are  satisfied.  By  lemma  4.11  and  the  fact  that 
each  formula  reduces  independently  of  the  others  by  TRl- 
TR12 ,  if  O (a^  v  . .  .  v  a^  v  Y (pWq) )  reduces  to  q^,  ...» 

A  •  •  -A  <3^  =>  □  (a^  v  ...  v  a  v  Y  (pWq)  )  is  valid . 

n  | 

Suppose  O (a  v  pWq)  e  Z  , 

□  ( a  v  pWq )  c  Zy 

^  □  (a  v  q  v  \p)  e  Zy  by  TR7 , 

^  ry  h  D(a  v  <\,q  v  p)  by  induction, 

for  □(av'uqvp)  has  fewer  W’s  than  D(avpWq). 

□  (a  v  pWq)  c  Zy 

□(av'vqv  Y(pWq))  e  Zy  by  TR7 
—>  *3i*  E  Sv' 

where  q1#  . ..,  q^  are  the  formulas  of  lemma  4.12.  Those 

which  have  no  more  W  symbols  than  a  v  tq  are  satisfied 

by  r^  by  induction.  All  that  is  left  is  to  show  that,  if 

q .  *  O  (Yb.  v  ...  v  Yb.  v  'vYc.  v  . . ,  v  'tYc  )  ,  then  r~  K  q.  . 
i  j.  k  4.  m  v  i 

For  then 

►  D(a  v  M3  v  p)  a  q^  *  . , .  a  q& 

^  ry  h  D(a  v  *vq  v  pi  a  O  (  a  v  -vq  v  Y  ( pWq ) )  by  the  fact 
that  a  , , ,  a  q^  S  D(a  vvjvY  CpWq)  1  is  valid, 
^  ►  D(a  v  pWq)  by  semantic  implication. 
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Equivalently ,  we  must  show  that  for  every  route  r  (not 
necessarily  simple)  starting  at  v,  avr ,  a^  h  Yb^  v  ...  v 
Yb^v  -vYc^  v  ...  v  ^Yc^  v  Y  (pWq)  , 

Claim.  Suppose,  by  induction,  that  theorem  4.13 

holds  for  all  formulas  smaller  than  Q(a  v  pWq) .  Let  f  = 

(Yd.  v  ...  *  Yd  v  'vYe.  *  ,  ,  .  v  'uYe.  )  and  q  -  (d,  v  .  .  .  v  d  ✓ 

1  si  t  1  s 

've^  v  .  ,.v'vet),  where  each  d^  and  e^  is  no  larger  than 
either  a  or  q,  and  suppose  that  Su  contains  D(f  v  Y(pWq) ) . 
Then  for  every  route  r  starting  at  u,  UTr ,  a~  Is  f  v  Y(pWq)  . 

Lemma  4.15  asserts  that  each  q^  =  D(f^vY(pWq)) 
satisfies  the  conditions  of  the  claim.  Hence,  by  the  claim, 
aur,  a^  I  f^ v  Y (pWq)  for  every  r  starting  at  u,  which  is 
what  we  want. 

Proof  of  the  claim.  The  proof  is  by  subinduction  on 
the  order  over  routes  which  makes  <  r2  iff  either  r^ 
has  fewer  O-arcs  than  r2,  or  r^  and  r2  have  the  same 
positive  number  of  O-arcs,  and  r^  has  fewer  X-arcs  before 
its  first  O-arc  than  r2>  Since  routes  can  have  only 
finitely  many  O-arcs,  the  induction  covers  all  routes. 

Case  1.  r  has  no  O-arcs,  i.e.,  r  is  simple.  If 
r  has  no  arcs  at  all,  then  r  trivially  satisfies  Y(pWq), 
and  the  claim  holds.  Suppose  r  «  (u,w)xr'.  By  lemma  4.32  , 
Zw  contains  gvpWg.  TR2  selects  one  of  d^,  ...,  dg, 

*vet,  pWq  to  be  in  Zw«  The  selected  formula  must 
be  smaller  than  O(avpWq),  so,  by  the  main  induction 
hypothesis,  F*  must  satisfy  it,  since  r'  is  simple.  Hence 
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f 


au<u,w)xr"  »  «u(ufw)x  ^  g  *  pWq , 

FT,  iT  ►  Y(g  V  pWq }  , 


Case  2.  r  =  (u,w)^*  r  begins  with  a  O-arc. 

Let  aw  *  au(u,w)0  * 

O (f  v  Y (pWq) )  e  Su 

4  D(f  v  Y  (pWq)  1  t  by  lemma  4.9, 

aw  •  r*\  a ~  ^  f  vY(pWq)  by  the  subinduction 

hypothesis 

Z$  au  •  r  ,  a^  h  f  wY(pWq)  since  bar  erases 

O-arcs , 


Case  3.  r  =  (u»w)  r*,  and  r'  contains  a  0~arc. 

□  ( f  *  Y ( pWq ) )  e  Su 

□  ( g  v  pWq )  e  by  lemma  4.12, 

!Z0  □(g^'^qvpj  e  Zw  by  TR7 

aw»rw,  a^  I*  D(gv'vqvp)  by  the  main  induction 

hypothesis , 

aw»r' ,  a^  h  g v  v  p  by  semantic  implication. 

Also, 

□  (f^Y(pWq))  e  Su 

D(gvpWq)  e  Zw  by  lemma  4.12, 

=3  □  (g  v  'vq  v  Y  CpWql )  e  Zw  by  TR7 , 

^0  a~nrr,  a^  ►  g  v  'uq  v  Y (pWq )  by  lemma  4,15  and 

the  subinduction  hypo¬ 
thesis. 


I 
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By  the  validity  of  (g  v  'vq  v  p)  a  (g  v  'v-q  v  Y  (pWq)  )  ^  g  v  pWq , 
we  have 

►  9  v  Pwq 

a^r»  a^  M(gv  pWq) 
a~r,  r  MvY  (pWq) 
by  distributing  Y  over  v  . 

□  (a  v  'v  (pVJq) )  •  The  proof  for  this  case  is  very 
similar  to  that  for  0(av  pWq) .  The  main  difference  is 
that,  instead  of  Y(pWq),  we  have  ^Y(pWq),  and  must  take 
into  account  in  lemma  4.15  the  possibility  that  k  might 
be  zero.  The  tedious  proof  is  omitted. 


4.6.  Proof  and  Completeness 


As  is  the  case  with  other  decision  algorithms  based 


-•jt  ■ 
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on  tableaux,  a  complete  proof  system  for  MPL  can  be  de¬ 
rived  from  the  tableau  method  for  MPL.  The  axioms  and 
inference  rules  of  such  a  system  are  listed  below  as  system 
A. 


System  A 

Axioms 

A1 .  All  substitution  instances  of  propositional 
calculus  tautologies. 


A2 . 

□  p  3  p. 

A3. 

0  (p  3  q)  3  (Op 

3  Dq)  . 

A4. 

Op  3  QOp. 

A5 . 

OP  »  OP  for  ] 

P  e  *0. 

A6 . 

H  3  Y  false. 

A7. 

□Yp  3  Y  Dp. 

> 

00 

• 

Yp  =  (X  true  => 

Xp)  . 

A9. 

Y(p  3  q)  =>  (Yp 

3  Yq)  . 

A10. 

Gp  3  Yp/ 

All. 

G(p  3  Yp)  3  (p 

3  Gp)  . 

A12. 

G(p  =>  q)  3  (Gp 

3  Gq)  . 

A13. 

Gp  3  pWq. 

A14. 

pWq  =  q  3  (p  * 

Y (pWq) ) . 

Rules  of  Inference 


PA1. 

P. 

p  3  q 

PA2 . 

P 

h  Op. 

PA3. 

P 

h  Gp. 

(Modus  Ponens). 
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Verification  of  soundness  of  system  A  is  left  to  the 
reader.  The  only  axiom  which  is  not  obviously  valid  is 
A7 .  Moving  the  Y  in  front  of  the  O  effectively  decreases 
the  range  over  which  D  quantifies  to  those  paths  which 
make  the  same  next  transition  as  the  current  path. 

Before  proving  system  A  complete,  we  list  a  few  useful 
theorems  of  system  A.  We  say  that  p  is  provable  by  PC  from 
q-,  ,  .  .  .  ,  q  if  p  follows  from  q,  ,  .  ..,  q  and  instances 
of  Al  by  Modus  Ponens. 

The  reader  familiar  with  the  classical  modal  logic 
S5  will  recognize  axioms  A1-A4,  together  with  proof 
rules  PA1  and  PA2 ,  as  a  complete  proof  system  for  S5. 

It  follows  that  every  substitution  instance  of  an  S5 
theorem,  where  D  and  0  are  taken  to  be  the  S5  modali¬ 
ties,  is  an  MPL  theorem.  Due  to  axiom  A5,  the  converse  is. 
not  true;  that  is,  there  are  MPL  theorems  involving  only 
o,  0,  ^  and  propositional  variables  which  are  not  S5 
theorems.  MPL  is  prevented  from  collapsing  into  proposi¬ 
tional  calculus  only  by  the  operators  Y  and  W.  Theorems 
TAl,  TA2  and  TA3  are  all  proved  in  [HC68]  for  S5. 

Theorem  TAl. 


a) 

b 

DD  p  :  Dp, 

b) 

b  DOp  s  Op* 

c) 

b 

4D  P  =  DP# 

d) 

b  £  0P« 

Theorem 

TA2.  b  D  (p  *  q) 

£ 

□  p  a  Oq . 

141 


Theorem  TA3 .  For  P  e  4>  ,  p  any  formula, 


a) 

1-  D(a  v  p)  5  Da  v  P, 

b) 

b  0(av^P)  =  navP, 

c) 

f-  D(avDp)  =  Da  v  □  p, 

d) 

t-  D(av(ip)  =  DavOp. 

Theorem  TA4 . 

a) 

h  Y  (p  v  q )  =  Yp  v  Yq, 

b) 

h  Y  (p  v  q)  =  YpvXq, 

c) 

h  X (p  v  q)  =  Xp  v  Xq , 

d) 

b  Y(piq)  =»  (Xp  »  Xq)  , 

e) 

h  Y  (p  a  q)  =  Yp  a  Yq, 

f) 

h  X (p  A  q)  =  Xp  a  Yq , 

g) 

b  X  (p  a  q)  H  Xp  a  Xq, 

h) 

h  Xp  =  Yp  a  X  true, 

i) 

b  X^p  i  %Yp. 

Proof.  Let  PA4  be  the  derived  inference  rule 

>  (from  PA3,  A10  and  PAl). 

1) 

(Yp  a  X  true)  =>  Xp 

A8,  re¬ 

2) 

Xp  s  A.y^p 

definition  of  Xp; 

3) 

Xp  »  a, ( X  true=>XA<p) 

(2)  ,  A8,  PC; 

4) 

Xp  o  Xtrue  a  a,Xa«p 

(3),  re¬ 

5) 

A<XA,p  £  Y  A,A,p 

definition  of  x,  : 

6) 

Y(w,p  £  p) 

(5),  Al,  PA4 ; 

7) 

Yvop  £  Yp 

(6),  A9  twice,  PC 
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8) 

Xp  =  Xtrue  a  Yp 

(1),  (4),  (7),  PC; 

9) 

Y  (  (p  v  q)  =>  (^p  =  q)  ) 

(8)  ,  Al,  PA 4 ; 

10) 

Y(pvq)o  (Y'vp  o  Yq) 

(9) ,  A9  twice,  PC; 

ID 

Y  (p  v  q)  =J  (Xp  y  Yq) 

definition  of  Xp,  (10 

PC; 

12) 

Y  (p  =>  (p  v  q)  ) 

(11) ,  Al,  PA 4 ; 

13) 

Yp  =>  Y  (p  y  q) 

(12) ,  A9,  PC; 

14) 

Yq  =>  Y  (p  v  q ) 

symmetry,  (13) 

15) 

Yp  y  Yq  ^  Y (p  v  q) 

(13),  (14),  PC; 

16) 

Xp  =>  Yp 

(8),  PC; 

17) 

Xp  v  Yq  =  Yp  v  Yq 

(15),  (16),  PC; 

18) 

Xp  y  Yq  =  Yp  v  Yq  H  Y  (p  y 

q) 

(11)  ,  (15)  ,  (17)  ,  PC; 

19) 

Y(p  a  q  =>p) 

Al,  PA4 ; 

20) 

Y  (p  a  q)  =  Yp 

(19) ,  A9,  PC; 

21) 

Y  (p  a  q)  =>  Yq 

symmetry,  (20); 

22) 

Y(p  =>  (q=>p  Aq) ) 

Al,  PA4 ; 

23) 

Yp  =>  (Yq  »  Y  (p  a  q)  ) 

(22) ,  A9  twice,  PC; 

24) 

Yp  a  Yq=»Y(p  Aq) 

(22),  PC; 

25) 

Yp  a  Yq  =  Y  (p  a  q) 

(20),  (21),  (24),  PC. 

The  reader  should  have  no  difficulty  proving  those 


parts  of  theorem  TA4  which  are  not  lines  above. 
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Theorem  TA5.  QXp  =>  XDp. 
Proof . 


1) 

□  (Xp  s  Xtrue  a  Yp) 

TA4 (h)  ,  PA2; 

2) 

QXp  =  D(XtrueAYp) 

(1)  , 

A3  twice 

3) 

DXp  =  □  Xtrue  a  OYp 

(2)  , 

TA2,  PC; 

4) 

DXtrue  =  Xtrue 

A2; 

5) 

□  Xp  =  Xtrue  a  DYp 

(3)  , 

(4)  ,  PC; 

6) 

□  Xp  =»  Xtrue  a  Y  Q  p 

(5)  , 

A7,  PC; 

7) 

XOp  =  Xtrue  a  YD  P 

TA4  (h) ; 

B) 

□  Xp  »  XQp 

(6)  , 

(7) ,  PC. 

Some  definitions  of  sets  and  formulas  in  the  tableau 
T(pQ)  make  the  completeness  proof  more  concise. 

*  {q  c  Sv?  q  has  the  form  P,  ^P,  Dp  or  ^OP  • 

sr  -  sv  - s;- 

S*  *  {p:  Yp  e  Sv)  U  Kps  ''-Yp  e  Sy) 

u  { (a,  v  ...  v  a.  v  '''bn  v  . . .  v  Md  ) , 

X  k  1  m 
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O  (aA  v 


p  =  A  q. 
v  qcsv 


«  A 


v  qc  s'' 

zv  *  A  q 


v  a.  v  ^b,  v  ...  v  Ms) : 
k  1  in 


CD  (Ya^  v  ...  v  Yak  v  ^Y^  v  .  .  .  v.  tYb^)  t  Sy) 


Pv  ■  A  <j- 
<!«„' 

Pj  =  /\ 

«sS 


We  now  state  four  lemmas,  then  prove  that  system  A 
is  complete. 


Lemma  4,16.  For  TR1-TR12, 

a)  If  p  +  q,r  is  a  transformation,  then  h  (p  =  q  a  r)  ; 

b)  If  p  ■+  q  or  r  is  a  transformation,  then 

Mp  =  q  *  r) . 

Proof .  Routine.  * 

Lemma  4.17.  For  every  node  v  in  T(pq)  (consistent  or 

inconsistent) ,  \r  (Pv  zy) . 

Proof.  Lenna  4.17  is  proven  almost  identically  to  lenra  4.11. 

Wiere  that  proof  uses  the  fact  that  if  p  is  transformed  to  q,  then 

q  =>p  is  valid,  here  we  most  use  the  fact  that  q=>  p  is  provable. 

That  follows  frail  lemma  4.16.  * 

Lemma  4,18.  Suppose  there  is  an  X-arc  leaving  node 

v,  and  u1#  ...,  uR  are  all  of  the  nodes  in  T(p0)  (both 

consistent  and  inconsistent)  which  are  reachable  from  v  by 

an  X-arc.  Then  I-  <pj^<pu . pu>>. 

v  l  n 
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Proof.  Nodes  u^,  ...»  un  were  created  by  first 
creating  a  node  uq  by  TR14,  and  then  splitting  uQ  by 
or  type  transformations.  We  show  that  at  every  stage 
in  the  reduction  of  uq  to  u^,  ...»  ,  if  uj,  .  ..,  u' 

Y 

are  the  present  nodes,  then  h  (p  =>  (p  v  ...  v  p  )). 

U1  uk 


The  base  case,  u  ,  is  trivial  since  TR14  sets  S  =  S  . 

o  u  v 

o 

As  each  transformation  TR1-TR12  is  applied,  either  a 

conjunct  of  P  -  is  replaced  by  provably  equivalent 
1 

conjuncts  for  some  i,  by  lemma  4.16(a),  or  uT  is  split 

by  an  o£  type  transformation  into  u''  and  uT" .  By 

lemma  4.16(b),  HP  -  vP  £  P  ->  .  Hence  MP*  => 

ui  ui  ui 

V  v  ••• v  pu:  ,v  pu:'vPu:"  vPu:  ,v  *•*  v  V5  by  PC- 
i  i-l  i  i  l+l  k 

The  formula  added  to  v  by  TR16(a)  is  implied  by  formulas 
already  in  S .  TRl6(b)  adds  no  formulas  to  the  original 
node  of  a  group  of  nodes  connected  by  0~arcs,  and  only 
that  original  node  can  have  an  X-arc  pointing  to  it. 

It  is  easy  to  see  that  the  filtration  rule  preserves 
lemma  4.18.  ® 


Lemma  4.19.  Suppose  there  is  a  u  such  that  vXu. 
Then  h  <pys>X  py) . 

Proof.  Let  the  Y,  'V/Y  and  Q  formulas  in  Sy  be  Ya^, 

. . . ,  Ya^,  ^Yb^,  '''Yb^,  O  v  ...  v  Yc^  v  'vYd^  v , . . 

i  1  X 

v  %Yd„  ),  for  i«l,  ...,  t.  By  definition  p  « 

n  i  v 


146 

/\a.  a  A  'v-b^  a  A  0(  V  c1  v  V  .  Because  every 
11  1  3  3  3  3 

member  of  Sy  is  a  conjunct  in  pv  ,  we  have 

h  {p  =5  Yai  a  A  %Yb .  a  A  Q  (  y  Yc^  v  V  ) )  . 

j  3  3  J 

Theorem  TA4  can  be  used  to  bring  conjunctions  and  dis¬ 
junctions  of  Y  and  ^Y  formulas  under  a  single  Y.  Axiom 
A7  is  used  to  move  a  Y  outside  of  a  □.  We  get 

h  (pv=»  Y  (  A  ai  a  A  ^bi  a  A  □  (  Vc ^  v  V  d* ) ) )  , 

p  pv  o  YP*. 

Moreover,  TR14  only  draws  an  X-arc  from  v  to  u  if  either 
£  >  0  or  itk  —  o  for  some  i.  In  either  case,  TA4  and  A2 
permit  us  to  prove  the  stronger  form 

I-  Pv  =>  Xp*  .  1 

We  now  finish  the  proof  of  theorem  4.7,  proving 
(3)  (2)  and  (2)  (D  . 

Lemma  4.20.  ((2)  ^  (1))  If  ^pv  is  provable  then 

<\.pv  is  valid. 

Proof .  By  soundness  of  system  A.  • 

Lemme  4.21.  ((3)  (2))  If  v  is  inconsistent  in 

T(p0),  then  h  %pv. 


Proof .  The  proof  is  by  induction  on  the  order 


in  which  nodes  are  marked  inconsistent. 


Case  1.  Suppose  v  is  marked  inconsistent  by  Cl 
Then  contains  both  p  and  By  lemma  4.17, 

I-  (PV=>'^P  a  p)  ,  so  by  PC,  H  ^pv. 
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Case  2.  Suppose  v  is  marked  inconsistent  by  C2. 

Then  Sv  contains  H  and  there  is  an  X-arc  leaving  v.  By 
lemma  4.19,  H  py  =>  Xpy,  so  by  TA4  (h)  H  py  =  X  true. 

Using  axiom  A6  and  PC,  we  have  h  A,p  . 


Case  3.  Suppose  v  is  marked  inconsistent  by  C3. 

Then  there  must  be  a  node  u  connected  to  v  by  a  O-arc, 
and  which  is  marked  inconsistent  earlier  than  v.  Let  p '  = 


v 


a  ...  a  a  and  p‘ 


=  bx  A 


.  v  ^an#  and  py'  =  A-b^  v 


h  ^p 


u 


a  b^.  Define  py  =  'va^ 

.  v  A<b  . 
n 

by  induction, 

by  p  =  p'  a  p", 
1  ru  *u  ru 


^  H  MP'  A  P~> 

(*)  =>  ♦-  P '  v  p~  by  PC, 

=*  h  □  (p'  v  p~)  by  PA2. 

Every  formula  in  p^j  either  begins  with  ^  □  or  , 

or  is  A,p  or  wp  for  some  basic  formula  P,  by  the  definition 


of  p'.  w,  can  be  eliminated  at  step  (*)  by  PC.  By 

repeated  application  of  theorem  TA3, 

I-  p'  v  D  p". 

u  u 


By  TR16 (a) , 


'v  □  p~  is  in  S^,  and  so  w,  O  P''  is  a 


disjunct  in  pu-  PC  eliminates  duplicate  disjuncts,  giving 


y.  A,p  “ 

*u 

by  PC, 

^Pv 

by  lemma  4. 9 

=> 

^Pv 

by  pv  -  K  A 

Case  4.  Suppose  v  is  marked  inconsistent  by  C4.  Then 
there  is  an  X-arc  leaving  v,  and  all  of  the  nodes  ,  . . . ,  u?j 
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which  are  pointed  to  by  X-arcs  from  v  are  marked  inconsis¬ 
tent  before  v. 


=3 


/\  (u^  inconsistent) 
'i'  *■  ^u. 


h  A  ^Pu. 

-1  i 


,  nnx 

h  ^Pv 

I-  G  •vpj 

b  *  M>£ 


by  induction, 
by  PC, 

by  lemma  4.18, 
by  PA3, 

by  A10, 


h  p*. 

h  ^Pv  by  lemma  4.19. 

Case  5.  Suppose  v  is  made  inconsistent  by  C5.  Let 

,  ...»  be  all  of  the  nodes  {including  v  itself) 

which  are  reachable  from  v  by  a  path  of  zero  or  more  X-arcs, 

and  which  are  consistent  when  C5  applies  to  v.  We  may 

assume  that  Cl  is  applied  wherever  possible  before  C5  is 

used.  We  can  show  that  every  v^  has  an  X-arc  leaving  it. 

For,  in  order  for  C5  to  apply,  every  Zv  must  contain 

both  MpWq)  and  p.  If  MpWq)  is  transformed  to  q,p  and 

Mf(pWq)  by  TR4 ,  then  v^  must  have  an  X-arc  leaving  it. 

On  the  other  hand,  if  MpWq)  is  transformed  to  q  and  h>, 

then  v.  is  inconsistent  by  Cl,  Let  Vw  ...,  v*  ,  m  >  0, 
i  i  m, 

be  all  of  the  nodes  for  which  X  ,  for  i  «  1,  k, 

j  «  1 ,  m^.  We  write  for  Pv^  and  P*  for  pyi 

(1)  h  (Pi  =»  X  pj  )  by  lemma  4.19; 

. IW  I  _  ■  V'V t 
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(2)  f*  (P*  ^  VP1)  by  lemma  4 . 1 8 ; 

j  : 

(3)  f-  Y(p*  ^VPj)  by  (2),  PA3,  A10; 

(4)  |-  X  p*  =>  X  V  P*  by  (3)  ,  TA4  (d)  ; 

j  J 

(5)  h  p.  =>  X  V  p*  (1) ,  (4) ,  PC; 

j  J 

(6)  h  v  P-  3  V  Pi  by  PC; 

j  J  i 

(7)  (-  X  V  Pj  3  X  V  p  by  (6),  PA3,  A10,  TA4 ; 

j  D  i 

(8)  f-  p  =>  X  V  P,  by  (5)  ,  (7)  ,  PC. 

i 

But  (8)  holds  for  every  i,  so  all  can  be  combined  by  PC 
to  give 

(9)  Y  V  P4  D  X  V  P.  . 

i  i 

Let  q  «=  V  Pi* 


(10) 

(-  q  =>  Yq 

by 

(9)  ,  TA4  (h)  ; 

(11) 

Y  G (q  »  Yq) 

by 

(10),  PA3 ; 

(12) 

H  q  =>  Gq 

by 

(11) ,  All. 

s 

contains  p  for  all  i, 

so  by  lemma 

4.17 

(14) 

f-  (Pi  3  P) 

for 

all  i  ; 

(15) 

|-  (q  =>  P) 

by 

(14),  PC; 

(16) 

j-  G(q  =  p) 

by 

(15),  PAS, 

(17) 

Gq  =>  Gp 

by 

(16),  A12 ; 
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(18)  b  p .  =>  Gp  by  Pi  q,  (12)  , 

(17) ,  PC; 

(19)  h  =>  pWq  by  A13. 

Choosing  =  v,  we  see  that 

(20)  b  Pv  =>  PWq. 

But  *v(pWq)  is  in  Z  ,  or  C5  wouldn't  apply.  By  lemma  4.16 

(21)  h  Pv  MpWq)  , 

and,  combining  (20)  and  (21)  we  have 

Theorem  4.22  (completeness)  il  p  is  valid  then 
p  is  provable  in  system  A. 

Proof .  Let  u^,  . ,,,  be  all  of  the  nodes  in  T(X'vp) 

which  are  reachable  from  v  by  an  X-arc.  v  is  not  changed 

o  o 

when  it  contains  X^p,  so  pv  =  X^p. 

o 

p  valid 

Yp  is  valid 

=>  v  is  inconsistent  in  T(X'vp) 
o 

by  theorem  4.7, 

=!>  ,  ...»  un  are  inconsistent 

by  consistency  rule  C4, 


=p 

<vp  for  all  i 

ui 

by  theorem  4,7, 

=> 

Mpu  v  ...  v  p  ) 

by  PC, 

i  n 

M>X 

o 

by  lemma  4.18, 

by  lemma  4.18,  PC. 
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But  pvX  is  just  ^p,  so 
o 

f-p  by  PC.  • 

Gabbay  et  al.  define  a  proof  system  DUX  for  the 
logic  of  until  on  infinite  paths.  Their  axioms  are 
related  to  A8-A14,  but  are  different  due  to  their  slightly 
different  definitions  of  G  and  X,  and  the  fact  that  their 
paths  must  be  infinite.  Our  system  was  developed 
independently  of  theirs,  and  our  completeness  proof  is 
quite  different  from  theirs.  As  it  is  possible  to 
express  in  MPL  that  a  path  is  infinite,  our  method 
encompasses  theirs. 

As  a  final  corollary  to  the  decision  method  for  MPL, 
we  note  that  the  LL-processes,  those  defined  by  finite 
LL-graphs,  are  complete  for  MPL, 

Theorem  4.23.  Every  satisfiable  MPL  formula  is 
satisfied  by  a  model  whose  process  is  an  LL-process.  I 


Chapter  5 


Programs  in  Process  Logic 

In  this  chapter  we  define  an  extension  MPL/P  of  MPL 
by  adding  programs  to  the  syntax  of  formulas.  Though 
MPL/P  is  a  natural  extension  of  MPL,  MPL/P  proves  much 
more  difficult  to  analyze  than  MPL.  We  have  few  results 
concerning  MPL/P. 

The  main  purpose  of  this  chapter  is  to  give  a  formal 
definition  of  MPL/P,  an  important  extension  of  MPL,  and 
to  relate  the  expressive  power  of  MPL/P  to  that  of  other 
logics.  In  judging  the  relative  power  of  two  logics  of 
processes,  it  is  only  fair  that  either  both  have  programs, 
or  neither  has  programs.  We  show  that  MPL/P  is  more 
expressive  than  PDL  or  SOAPL,  and  is  at  least  as  expres¬ 
sive  as  PDL+  and  Nishimura's  process  logic,  NL.  We  con¬ 
jecture  that  MPL/P  is  strictly  more  expressive  than  all 
four  of  the  above  logics. 

5.1.  Definitions 

In  this  section  we  define  MPL/P.  Programs  were 
defined  in  Chapter  1.  For  MPL/P,  we  need  to  extend 
programs  to  labeled  programs. 

Labels 


The  usual  method  of  reasoning  about  a  program  is  to 
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reason  about  each  part  separately,  combining  the  separate 
results  to  obtain  a  result  applying  to  the  whole.  While 
that  method  works  well  for  sequential  programs,  we  encoun¬ 
ter  difficulties  when  trying  to  use  it  for  concurrent 
programs.  The  behavior  of  a  running  in  isolation  can  be 
so  different  from  its  behavior  when  running  concurrently 
with  B,  that  we  can  never  divorce  a  from  B  when  we  reason 
about  a//B.  Nevertheless,  we  would  like  to  be  able  to 
discuss  a's  contribution  to  the  system  cx//B.  We  do  that 
by  giving  ct  a  name,  say  £.  By  referencing  £,  we  can  make 
statements  such  as: 

1)  In  a//8,  whenever  a  halts,  p  holds; 

2)  (finite  delay)  on  every  infinite  path,  a  makes 
infinitely  many  transitions; 

3)  a  preserves  the  truth  of  p  (though  B  may  not). 

This  is  the  sort  of  non-interference  property  which  is 
implicit  in  Owicki's  proof  technique,  but  which  cannot 
be  expressed  in  her  logic. 

Labels  have  many  different  uses.  It  is  clear  that 
we  need  some  means  of  referring  to  parts  of  a  program. 

But  it  is  not  the  purpose  of  this  work  to  study  the 
relationships  between  various  forms  of  label  references. 
Rather,  we  simply  demonstrate  what  can  be  said  with  certain 
types  of  label  references.  Thus  we  feel  justified  in 
providing  MPL/P  with  a  variety  of  means  of  referring  to 
labels.  It  may  turn  out  that  some  are  expressible 


in  terms  of  the  others. 

Labels  have  basically  two  different  uses;  as  position 
labels,  telling  the  current  value  of  a  program  counter, 
and  as  transition  labels,  telling  which  part  of  a  program 
makes  a  particular  transition.  Statement  (1)  above  uses 
a  position  label  to  tell  when  a  has  terminated;  that  is, 
when  a  is  at  its  final  label.  Statement  (2)  uses  a 
transition  label  to  determine  whether  a  makes  any 
transitions . 

Labels  are  added  to  processes  as  follows.  To  every 
transition  is  added  two  sets  of  labels  from  a  label  set 
F.  The  first  set  consists  of  position  labels,  the  second 
set  of  transition  labels. 

(U)  =  (P(D  X  u  X  P<n  X  U)  *+u>, 

n£<u)  *  P(v£(u) ) . 

The  operator  is  the  labeling  operator.  If  H  is  a 

label  and  a  is  a  program,  then  £:a  is  a  program.  Every 
transition  made  by  a  is  labeled  £,.  In  i^sJ^*****  everY 
transition  is  labeled  both  and  T^e  function 

tt:  programs  •+  n£(U)  is  defined  as  follows; 

1.  Basic  programs  have  the  usual  semantics,  with 

S  *  T  B  0  in  every  transition  <S,u,T,v>.  The  constraints 
listed  on  page  12  apply  to  basic  programs, 

2.  If  p  is  a  formula,  then  Op?  is  a  program.  The 
box  forces  testable  formulas  to  depend  only  on  a  stage 
and  a  process,  not  on  a  path.  If  p  is  already  independent 
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of  a  path,  then  Op=p,  and  the  □  may  be  ignored.  As  are 
basic  programs,  tests  are  labeled  0. 

3.  u(£:a)  is  obtained  from  it  (a)  by  replacing  every 
transition  <S,u,T,v>  by  <S  u  ( 2  } ,  u,  Tu  ({},  v>. 

4.  au  B,  a;  g  and  a*  have  the  usual  meanings. 

5.  The  shuffle  operator  //  must  be  defined  so  as 

to  maintain  position  labels.  Transition  labels  need  no 
special  treatment.  If  o  and  x  are  two  transition 
sequences,  define  to  be  a,  with  every  transition 

<S,u,T,v>  replaced  by  <Su  S'”,  u,  T,  v>,  where  x  = 
<S',u',T',v^>x T  If  °^a2  **’  e  11  ^  an(3  tit2  **•  e  ^(B}, 
(any  of  the  cm  and  x^  are  permitted  to  be  either  empty, 
finite  or  infinite)  then  ^Tl^ x^ x 2 3^  ... 

is  in  7i  (a//6)  . 

The  dot  operator 

An  MPL  formula  describes  a  property  of  a  process. 
Until  now,  we  have  only  tested  the  truth  of  a  formula  with 
respect  to  the  process  it  provided  by  an  MPL  structure. 

A  natural  extension  of  MPL  is  to  let  a  structure  provide 
many  different  processes,  and  to  add  to  MPL  a  means  of 
specifying  which  process  or  combination  of  processes 
is  supposed  to  satisfy  a  given  formula.  The  dot  operator 
serves  that  purpose,  the  formula  a»p  meaning  "p  holds 
for  process  Tf(a)." 
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5.2«  Formal  semantics  of  MPL/P 

An  MPL/P  structure  is  a  six-tuple  A  =  (U,Z  , 

♦  ,  d>  ,  T )  ;  where  U,?5  and  d>  are  the  same  as  in  an  MPL 
0  0  0  0 

structure,  and 

Z  is  a  set  of  basic  programs, 

tt o  t  Z  n^(U)  assigns  a  process  to  each  basic 
program,  and 
F  is  a  set  of  labels. 

An  MPL/P  environment,  providing  all  of  the  information 
needed  to  determine  the  truth  value  of  any  MPL/P  formula, 
consists  of  a  structure  A,  a  process  tt  ,  a  path  t  t  i 
and  a  stage  t  jc  tj>. 

Let  a  be  a  labeled  program,  i  c  T,  p,g  be  MPL/P 
formulas,  and  P  e  4>  be  a  basic  formula. 

1.  P  is  an  MPL/P  formula.  ►  P  iff  end(t) 

£  VP)* 

2.  <vp,  pvq  are  MPL/P  formulas,  with  the  usual 
semantics. 

3.  Yp  is  an  MPL/P  formula.  Yp  iff 

( *  i<S,u,T,v»K  and  t<S,u,T,v>  is  legal) 

7T,ty,T<S,U,T,V>  N  p)  . 

4.  pWq  is  an  MPL/P  formula,  ir , V< , t ►  pWq  iff 

(Vt')  (TOr'<^  ((Vt")  q) 

IT ^  p) )  • 
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5.  Op  is  an  MPL/P  formula.  n,^,T^Dp  iff 

(Vip'  e  n)  (iK^t  =£  k  p)  . 

6.  a*p  is  an  MPL/P  formula.  Let  u  =  end(t). 

ir,ip,T^a*p  iff  (V  \l>'  e  ti  (a) )  (^‘*_>  (u,X)  n(a),i|;', 

(u, X) t  p) . 

We  provide  a  variety  of  formulas  for  referencing 
labels . 

7.  Nil  means  "the  next  transition  is  made  by 

program  it  ,  ,  t  £  N£  iff  =  t<S,u,T,v>0'  and 

£  G  T. 

8.  in(£)  means  "some  program  is  executing  in  £:a. 

\f  in  (£)  iff  ^  =  t<S,u,T,v>i|) '  and  £  e  S. 

9.  @£  means  "some  program  is  just  ready  to  start 
£  :  a .  "  Ti,ip,T^@£  iff  (t=t  '<S,U,T,v>  and  £  i  S,  or 
x=(u,A))  and  (ij/=T<S',u',T',v'><{j'  and  £  e  S'). 

10.  end(£)  means  "some  program  has  just  finished 

£ :  a .  "  *  end(£)  iff  t=t '<S,u,T,v>  and  £  e  S  and 

W  =  t<S',u',T',v'x|>'  and  £  t  S',  or  ^=t). 

Examples  of  formulas  using  labels  are 

1)  whenever  o  terminates,  p  holds  = 

(£:a)//6«  OG(end(£)  p)  ; 

2)  a  preserves  p  * 

(£:a)//e«  DG(p  a  N£  »  Yp)  . 
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5.3.  Expressive  power  of  MPL/P 

We  begin  by  relating  MPL/P  to  PDL+,  SOAPL,  and 
NL.  Each  has  been  claimed  (see  (HP78)  ,  [Pa78] ,  [N79] ) 
to  be  a  powerful  logic,  particularly  NL,  which 
Nishimura  shows  is  expressively  complete  for  a  class  of 
logics  related  to  and  including  Pratt's  process  logic. 

In  each  simulation,  we  assume  that  the  logic  being 
simulated  is  defined  in  an  appropriate  manner  over  MPL/P 
models,  so  that  it  makes  sense  to  relate  expressive  powers 
of  the  logics. 

PPL* 

The  [  ]  and  I  ]+  operators  of  PDL+  (see  [HP78])  are 
defined  in  MPL/P  as  follows: 

[u]p  =  a  *DG  {  0  H  =>  p)  . 

[a]+p  5  [ a ] p  a  a •  □  FY false. 

Hence  MPL/P  is  at  least  as  expressive  as  PDL+.  That  MPL/P 
is  more  expressive  than  PDL  follows  from  the  fact  that  SOAPL 
is  at  least  as  expressive  as  PDL,  and  MPL/P  is  more 
expressive  than  SOAPL. 

SOAPL 

Nishimura  [N79]  shows  that  NL  can  simulate  SOAPL, 
so  we  only  need  to  simulate  NL.  That  MPL/P  is  more 
expressive  than  SOAPL  follows  from  Parikh's  result 
{Pa78]  that  every  satisfiable  SOAPL  formula  is  satisfied 
by  a  closed  process.  A* (FYfalse  a  G  Oxtrue) ,  stating 
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that  A  contains  no  infinite  paths,  but  A  can  always  make 
more  progress,  is  satisfied  by  some  non-closed  A,  but  not 
by  any  closed  A. 

NL 

Nishimura's  operator  la]  is  just  our  dot  operator  a*. 
Besides  [a],  NL  has  only  until  and  Boolean  functions, 
which  are  easily  handled  by  MPL/P.  NL  has  no  analog  to 
our  O  operator,  which  leads  us  to  conjecture  that  NL 
is  weaker  than  MPL/P. 

Recently  Harel,  Kozen  and  Parikh  [HKP80]  have 
defined  a  process  logic  PL  which  merges  temporal  logic 
and  PDL  in  a  way  somewhat  different  from  MPL.  PL  was 
unknown  to  us  when  we  developed  MPL.  In  PL,  all  formulas, 
including  basic  formulas,  depend  for  their  truth  values 
on  paths.  The  semantics  of  the  PDL  operator  <a>p  is 
changed  as  follows: 

ip  ^<01  >p  iff  3^"  e  irlaM^^'^p). 

Additionally,  PL  includes  the  until  operator,  and  an 
operator  f  which  is  defined  by 

t|>  ^  fp  iff  start(^)  ►  p. 

The  relation  between  PL  and  MPL/P  is  not  at  all  clear. 

Due  to  our  result  that  nonstandard  and  standard  semantics 
produce  the  same  satisfiable  formulas,  it  might  not  be 
important  that  basic  formulas  are  interpreted  over  paths 
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in  PL.  But  MPL/P  does  not  appear  to  be  able  to  simulate 
<ot>p,  due  to  the  fact  that  <a>p  depends  on  an  entire  path, 
not  just  its  final  state.  Conversely,  PL  does  not  appear 
to  have  any  means  of  expressing  branching  time  properties 
of  programs. 

Finite  delay 

Our  //  operator  permits  one  component  to  run  forever, 
to  the  exclusion  of  the  other.  In  some  applications  we 
may  want  to  assume  that  //  is  fair,  so  that  any  component 
which  is  active  eventually  gets  to  run  a  step.  Even  with 
our  unfair  //  operator,  MPL/P  can  be  used  to  discuss 
programs  with  a  fair  //  operator.  For  example,  suppose 
our  fairness  criterion  is  that,  on  every  infinite  path 
in  a//6,  both  a  and  B  make  infinitely  many  transitions. 

Let 


FD(A)  =  (GXtrue  »  GFNA)  . 


Then 


(A1:a)//(t2sB)  ’(FDU^  *  FD(*2)  »  p) 

states  that  every  fair  path  in  a//B  obeys  p.  FD ( A)  is 
an  over  simple  fairness  criterion.  A  more  reasonable  one 
takes  into  account  that  one  of  the  components  may  terminate 
or  remain  blocked  forever.  A  statement  which  takes  into 
account  those  possibilities  is 


*-'*■*■• rj'  •‘■“nrr  v  itfiHli 
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FD2(£)  H  GXtrue  =>  (Fend(fc)v  GFN£  vFGD'vN £)  , 

which  states  that,  on  every  infinite  path,  either  program 
£  terminates,  or  it  makes  infinitely  many  transitions, 
or  beyond  some  stage  it  is  never  possible  for  £  to  make 
the  next  transition,  even  on  a  different  path. 

Partial  correctness  proofs 

One  test  of  the  power  of  a  logic  is  whether  existing 
proofs  can  be  carried  out  within  that  logic.  In  order  to 
use  a  particular  proof  method,  not  only  the  end  results 
but  all  of  the  intermediate  results  must  be  expressible 
in  the  logic.  Suitable  proof  rules  can  then  be  written. 

Owicki  [OG76]  gives  a  proof  system  for  proving 
partial  correctness  assertions  about  concurrent  programs. 

A  very  important  notion  in  her  proof  system  is  that  of 
non-interference;  that  is,  in  a//g,  no  step  of  a  can  cause 
p  to  change  from  true  to  false.  We  have  shown  above  that 
non-interference  can  be  expressed  in  MPL/P.  Owicki’ s 
logic  provides  no  mechanism  for  expressing  non-interfer¬ 
ence,  with  the  result  that  non-interference  must  be  added 
artificially  to  a  proof  rule,  whose  antecedents  are  not 
formulas,  but  are  proofs.  By  expressing  non-interference 
in  MPL/P,  we  carry  out  simulations  of  Owicki-style 
proofs,  using  the  usual  sort  of  proof  rules,  which  prove 
certain  formulas,  given  certain  other  formulas.  Further- 
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more,  we  are  permitted  greater  flexibility.  If  we  have 
designed  our  program  so  that  3  does  not  interfere  with 
a  because  6  preserves  p,  we  can  prove,  once  and  for  all, 
that  6  preserves  p  in  a//3.  We  might  then  show  that 
ct//A  works  correctly  (for  some  suitable  meaning  of 
"correct")  whenever  A  preserves  p. 

5.4.  Conclusion 

We  have  shown  that  MPL/P  is  a  powerful  logic  of 
processes.  Moreover,  with  such  statements  as  "a  cannot 
deadlock,"  written  in  MPL/P  as  a*QG(Hv  OXtrue),  and  the 
statement  that  all  finite  delay  paths  of  a//3  obey  p, 
we  have  shown  that  at  least  a  good  part  of  the  power  of 
MPL/P  is  needed.  Any  logic  of  processes  which  is  less 
expressive  than  MPL/P  should  have  its  lack  of  power 
justified,  whether  to  permit  analysis,  or  because  for  a 
certain  application  the  full  power  of  MPL/P  is  not 
needed. 

We  have  no  decision  method  or  proof  system  for  MPL/P. 
The  tableau  method  used  for  MPL  does  not  readily  extend 
to  MPL/P.  It  seems  unlikely  that  the  addition  of 
programs  to  MPL  results  in  an  undecidable  logic.  The 
existence  of  a  complete  proof  system  for  PL  [HKP80J ,  which 
appears  to  have  some  features  in  common  with  MPL/P,  is 
encouraging. 
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